10.5.1 Privacy Policy 10.5.1.1 Program Scope and Objectives 10.5.1.1.1 Purpose of the Program 10.5.1.1.2 Audience 10.5.1.1.3 Policy and Program Owners 10.5.1.1.4 Primary Stakeholders 10.5.1.1.5 Background 10.5.1.1.6 Authority 10.5.1.2 Key Privacy Definitions 10.5.1.2.1 Privacy Lifecycle 10.5.1.2.2 Sensitive But Unclassified (SBU) Data 10.5.1.2.2.1 Examples and Categories of SBU Data 10.5.1.2.2.2 Official Use Only and Limited Official Use 10.5.1.2.2.3 Freedom of Information Act (FOIA) and SBU Data 10.5.1.2.3 Personally Identifiable Information (PII) 10.5.1.2.3.1 Examples and Categories of PII 10.5.1.2.3.2 Public Record 10.5.1.2.3.3 Defining PII versus Sensitive PII 10.5.1.2.4 Federal Tax Information (FTI) 10.5.1.2.5 UNAX 10.5.1.2.6 Unauthorized Access of SBU Data 10.5.1.2.7 Privacy Act Information 10.5.1.2.8 Need To Know 10.5.1.3 Key Privacy Concepts 10.5.1.3.1 Privacy Controls 10.5.1.3.2 IRS Privacy Principles 10.5.1.3.2.1 Accountability [PVR-01] 10.5.1.3.2.2 Purpose Limitation [PVR-02] 10.5.1.3.2.3 Minimizing Collection, Use, Retention, and Disclosure [PVR-03] 10.5.1.3.2.4 Openness and Consent [PVR-04] 10.5.1.3.2.5 Strict Confidentiality [PVR-05] 10.5.1.3.2.6 Security [PVR-06] 10.5.1.3.2.7 Data Quality [PVR-07] 10.5.1.3.2.8 Verification and Notification [PVR-08] 10.5.1.3.2.9 Access, Correction, and Redress [PVR-09] 10.5.1.3.2.10 Privacy Awareness and Training [PVR-10] 10.5.1.4 IRS-Wide Privacy Roles and Responsibilities 10.5.1.4.1 Employees/Personnel 10.5.1.4.2 Management 10.5.1.4.3 Senior Management/Executives 10.5.1.4.4 System Owners 10.5.1.4.5 System Developers 10.5.1.4.6 Authorizing Officials 10.5.1.4.7 Personnel Engaged in Procurement Activities 10.5.1.5 Privacy Culture 10.5.1.5.1 Clean Desk Policy 10.5.1.5.2 Privacy in Practice (PiP) 10.5.1.6 Practical Privacy Policy 10.5.1.6.1 Protecting and Safeguarding SBU Data and PII 10.5.1.6.1.1 Deciding Risk Levels for SBU Data and PII 10.5.1.6.1.2 Limiting Sharing of SBU Data and PII 10.5.1.6.1.3 Extracting SBU Data (Including PII and Tax Information) 10.5.1.6.2 Encryption 10.5.1.6.2.1 External 10.5.1.6.2.2 Internal 10.5.1.6.2.3 Attachment Encryption Instructions 10.5.1.6.3 Computers and Mobile Computing Devices 10.5.1.6.4 Data Loss 10.5.1.6.5 Marking 10.5.1.6.6 Storage 10.5.1.6.7 Transmission 10.5.1.6.7.1 Field and Travel 10.5.1.6.7.2 Mail 10.5.1.6.7.3 Shipping 10.5.1.6.7.4 Faxing 10.5.1.6.7.5 Printing 10.5.1.6.7.6 Phone 10.5.1.6.7.7 Text Messaging (Texting) 10.5.1.6.7.8 Electronic 10.5.1.6.7.9 Information Privacy During Office Moves 10.5.1.6.8 Email 10.5.1.6.8.1 Emails to Taxpayers and Representatives 10.5.1.6.8.2 Emails to Other External Stakeholders 10.5.1.6.8.3 Emails to IRS Accounts 10.5.1.6.8.4 Emails with Personal Accounts 10.5.1.6.8.5 Limited Exceptions to Email SBU Data Encryption 10.5.1.6.8.6 Surveys by Email 10.5.1.6.9 Disposition and Destruction 10.5.1.6.9.1 Recycling 10.5.1.6.10 Global Positioning Systems (GPS) and Location Services 10.5.1.6.10.1 Global Positioning Systems (GPS) 10.5.1.6.10.2 Location Services 10.5.1.6.11 Telework 10.5.1.6.12 Bring Your Own Device (BYOD) 10.5.1.6.13 Civil Liberties 10.5.1.6.13.1 First Amendment 10.5.1.6.13.2 Recordings in the Workplace 10.5.1.6.13.3 Monitoring Individuals 10.5.1.6.14 Contractors 10.5.1.6.15 Online Data 10.5.1.6.15.1 IRS.gov Privacy Policy Notice 10.5.1.6.15.2 Website or Application Privacy Policy Notice 10.5.1.6.15.3 Privacy Policy Departure Notice 10.5.1.6.15.4 Intranet Privacy Policy 10.5.1.6.16 Social Media 10.5.1.6.17 Data on Collaborative Technology and Systems 10.5.1.6.17.1 Outlook Calendar 10.5.1.6.17.2 Online Meeting Tools 10.5.1.6.17.3 Shared Drives 10.5.1.6.17.4 SharePoint 10.5.1.6.17.5 Cloud Computing 10.5.1.6.18 Training 10.5.1.7 Privacy-Related Programs 10.5.1.7.1 IRS Privacy Council 10.5.1.7.2 Privacy and Civil Liberties Impact Assessment (PCLIA) 10.5.1.7.3 Business PII Risk Assessment (BPRA) 10.5.1.7.4 Treasury PII Holdings Report 10.5.1.7.5 Unauthorized Access (UNAX) 10.5.1.7.6 Mandatory Briefings 10.5.1.7.7 Records and Information Management (RIM) 10.5.1.7.8 Disclosure 10.5.1.7.9 Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)] 10.5.1.7.10 Electronic Authentication (e-Authentication) 10.5.1.7.11 Enterprise Life Cycle (ELC) 10.5.1.7.12 Governmental Liaison (GL) 10.5.1.7.13 Identity Assurance (IA) 10.5.1.7.13.1 Electronic Signature (e-Signature) Program 10.5.1.7.13.2 Risk Management for Authentication in Non-Electronic Channels (Omni Channel Risk Assessment) 10.5.1.7.14 IT Security 10.5.1.7.15 Incident Management (IM) 10.5.1.7.16 Pseudonym 10.5.1.7.17 Safeguards 10.5.1.7.18 Social Security Number Elimination and Reduction (SSN ER) 10.5.1.7.18.1 Acceptable Use of SSNs 10.5.1.7.18.2 SSN Necessary-Use Criteria 10.5.1.7.19 SBU Data Use for Non-Production Environments Exhibit 10.5.1-1 Glossary and Acronyms Exhibit 10.5.1-2 References Part 10. Security, Privacy and Assurance Chapter 5. Privacy and Information Protection Section 1. Privacy Policy 10.5.1 Privacy Policy Manual Transmittal September 24, 2020 Purpose (1) This transmits revised IRM 10.5.1, Privacy and Information Protection, Privacy Policy. Background IRM 10.5.1 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Privacy and Information Protection. Material Changes (1) This version incorporated the Interim Guidance (IG) Memo PGLD-10-1119-0005, Interim Guidance on Need to Know Access, dated December 27, 2019, in the Key Privacy Definitions section in IRM 10.5.1.2 on Need to Know, IRM 10.5.1.2.8. (2) Some sections changed names: Examples of SBU Data to Examples and Categories of SBU Data. Examples of PII to Examples and Categories of PII. Servicewide Privacy Roles and Responsibilities to IRS-Wide Privacy Roles and Responsibilities Introduction to Privacy-Related Programs to Privacy-Related Programs. Identity Assurance Office (IAO) to Identity Assurance (IA). (3) Section added: Printing, to cross-reference existing policy in this and other IRMs. Risk Management for Authentication in Non-Electronic Channels (Omni Channel Risk Assessment), to cross-reference this Privacy-Related Program. Electronic Signature (e-Signature) Program, to cross-reference this Privacy-Related Program. (4) Updated terminology, removed outdated information, added examples or explanations, or included references in these sections for clarity: Privacy Lifecycle. Sensitive But Unclassified (SBU) Data. Examples and Categories of SBU Data. Personally Identifiable Information (PII). Examples and Categories of PII. Employees/Personnel. Personnel Engaged in Procurement Activities. Clean Desk Policy. Field and Travel. Email. Emails with Personal Accounts. Surveys by Email. Faxing. Electronic. Disposition and Destruction. Shared Drives. Telework. Online Data. Privacy and Civil Liberties Impact Assessment (PCLIA). Governmental Liaison (GL). Identity Assurance (IA) Glossary and Acronyms. References. (5) If the section’s modification date changed, but the section is not listed, then that section had minor edits, clarifications, name changes, updated hyperlinks, or additional examples. Effect on Other Documents This version supersedes IRM 10.5.1, dated September 25, 2019. Also, this IRM supports other IRMs in the 10.5 family. This version incorporated the Interim Guidance (IG) Memo PGLD-10-1119-0005, Interim Guidance on Need to Know Access, dated December 27, 2019, in the Key Privacy Definitions section. Audience IRM 10.5.1 addresses IRS personnel responsible for ensuring adequate privacy and information protection for all Sensitive But Unclassified (SBU) data, including taxpayer and personnel Personally Identifiable Information (PII). This policy applies to all IRS personnel, as defined in the Glossary and Acronyms section. Effective Date (09-24-2020) Peter C. Wade Director, Privacy Policy and Compliance (PPC) 10.5.1.1 (09-24-2020) Program Scope and Objectives This IRM lays the foundation to: Protect the privacy of Sensitive But Unclassified (SBU) data for taxpayers and employees, including personally identifiable information (PII), such as Federal Tax Information (FTI, hereafter called tax information), tax return, financial, and employment information regardless of format. Use SBU data (including PII and tax information) throughout the privacy lifecycle (creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal) only as authorized by law and as necessary to fulfill IRS responsibilities in compliance with the IRS Privacy Principles (cited in IRM 10.5.1.3.2). Destroy or dispose of SBU data when no longer required for business use, in a secure manner to protect privacy. Implement and maintain a strong privacy program, which enables the IRS to provide e-government services. This IRM covers IRS-wide privacy policy, including but not limited to: Definition of SBU data (including PII and tax information). IRS Privacy Principles. IRS-wide privacy roles and responsibilities. Privacy guidance on topics such as email, telework, and contractors. Introduction to privacy-related programs. 10.5.1.1.1 (09-24-2020) Purpose of the Program The mission of PGLD is to preserve and enhance public confidence by advocating for the protection and proper use of identity information. The privacy and security of taxpayer and employee information is one of the IRS's highest priorities. PGLD administers privacy and records management policy and initiatives and coordinates privacy and records management-related actions throughout the IRS. [OMB A-130] PGLD is committed to ensuring the protection of SBU data, including taxpayer and employee PII, from unauthorized access. The organization identifies and reduces threats to privacy and increases awareness of criminal activities aimed at compromising this information. PGLD also leads IRS privacy and records management policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS. [OMB A-130, IP-4] This IRM defines the uniform policies used by IRS personnel and organizations to carry out their responsibilities related to privacy. This IRM establishes the minimum baseline privacy policy and requirements for all IRS SBU data (including PII and tax information) in order to: Establish and maintain a comprehensive privacy program. [OMB A-130] Comply with privacy requirements and manage privacy risks. [OMB A-130] Ensure the protection and proper use of SBU data of the IRS. Prevent unauthorized access to SBU data of the IRS. Enable operation of IRS environments and business units that meet the requirements of this policy and support the business needs of the organization. It is acceptable to employ practices that are more restrictive than those defined in this IRM. It is the policy of the IRS: To establish and manage privacy practices within all offices to create a culture of privacy. This manual provides uniform policies and guidance to be used by all offices. To protect SBU data of the IRS at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that information. To protect SBU data and allow the use, access, and disclosure of information in accordance with applicable laws, policies, federal regulations, Office of Management and Budget (OMB) Circulars, Treasury Directives (TDs), National Institute of Standards and Technology (NIST) Publications, other regulatory guidance, and best practice methodologies. To use best practices methodologies and frameworks, such as Enterprise Life Cycle (ELC) and Enterprise Architecture (EA), to document and improve IRS privacy policy efficiency and effectiveness. The Director, PGLD, is the IRS Chief Privacy Officer. For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and PGLD’s Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.1.2 (03-23-2018) Audience The audience to which the provisions in this manual apply includes: All offices and business, operating, and functional units within the IRS Individuals and organizations having contractual arrangements with the IRS, including employees, seasonal/temporary employees, interns, detailees, contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers, with any access to SBU data. Note: This IRM covers all sensitive data used and operated by and on behalf of the IRS no matter what stage of the IT lifecycle it is in (i.e., production, pre-production, and post-production systems). For the purpose of this IRM, the following terms apply. Hereinafter, this IRM refers to IRS personnel, which includes all categories below: IRS personnel or users, which includes: 1. Employees 2. Seasonal/temporary employees 3. Detailees 4. Interns 5. Consultants 6. IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers) Authorized or Unauthorized personnel applies to IRS personnel being authorized or unauthorized to perform a particular action. Note: To be authorized, all personnel must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, and all other specialized privacy training) and background investigations before given access. [OMB A-130] 10.5.1.1.3 (09-24-2020) Policy and Program Owners Privacy Policy and Knowledge Management (PPKM) under PGLD’s Privacy Policy and Compliance (PPC) develops privacy policy in accordance with applicable laws, mandates, guidance, mission, and input from other stakeholders. See the References section in Exhibit 10.5.1-2. For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and PGLD’s Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.1.4 (03-23-2018) Primary Stakeholders All business units are stakeholders regarding privacy. 10.5.1.1.5 (09-24-2020) Background This IRM serves as the framework for IRS privacy policy and an introduction to PGLD. This policy establishes the privacy context for the development of related subordinate IRMs, IRS publications, and subordinate procedural guidance such as Standard Operating Procedures (SOP) and Desk Procedures. Subordinate IRMs offer additional privacy program protection information. Subordinate procedural guidance provides detailed guidance for implementing and complying with the requirements within this IRM. For further information, see PGLD’s Disclosure and Privacy Knowledge Base on IRS Source. If IRM 10.5.1 conflicts with or varies from the subordinate IRMs in the 10.5 series or guidance, IRM 10.5.1 takes precedence, unless the subordinate IRM is more restrictive or otherwise noted. Note: To deviate from privacy policy, follow the Risk Acceptance Form and Tool (RAFT) process. The executive or other senior official with the authority to formally assume responsibility for the process must sign the RAFT as the approver. The RAFT clearly documents business decisions in the context of risk appetite and/or acceptance. Submit the RAFT to PPKM for review for compliance with privacy laws and regulations. PPKM will not grant exceptions to bypass laws or mandates. Submit RAFT review requests via email to *Privacy (give topic name in subject line and add Attn: CPO RAFT review). For RAFT guidance, refer to the Office of the Chief Risk Officer. This policy assigns responsibilities and lays the foundation necessary to measure privacy progress and compliance. 10.5.1.1.6 (09-24-2020) Authority PGLD’s Privacy Policy and Knowledge Management (PPKM) implements relevant privacy statutes, regulations, guidelines, OMB Memoranda, and other requirements. Various statutes, such as the Privacy Act, FISMA, and Paperwork Reduction Act mandate compliance with OMB policy and NIST guidance, giving them the force of law. The Taxpayer Bill of Rights, codified in IRC 7803(a)(3), requires the IRS to protect taxpayer rights to privacy and confidentiality. In an effort to reference the origin of a privacy policy cited later in this IRM (National Institute of Standards and Technology (NIST), Treasury, etc.), this IRM may reference a requirement’s origin in brackets at the end of the guidance, such as [PVR-xx] (IRS Privacy Principles and Privacy Requirements), [AP-01] (NIST Privacy Controls), or [TD P 85-01] (Treasury Directive Publications). If no specific origin reference appears, multiple origins may apply. Lack of a reference citation does not indicate no origin applies. The primary laws include: Privacy Act (1974). Computer Matching and Privacy Protection Act (1988). Freedom of Information Act (FOIA) (1974). Internal Revenue Code (primarily IRC 6103 and IRC 7803(a)(3)). The Taxpayer Browsing Protection Act (1997). Federal Information Security Modernization Act of 2014 (FISMA). E-Government Act (2002). Health Insurance Portability and Accountability Act (1996) (HIPAA). The most relevant OMB Circulars and Memos are: OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act. OMB Circular No. A-130, Management of Federal Information Resources. M-03-22 – OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. M-10-22 – Guidance for Online Use of Web Measurement and Customization Technologies. M-10-23 – Guidance for Agency Use of Third-Party Websites and Applications. M-14-04 – Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. M-16-24 – Role and Designation of Senior Agency Officials for Privacy. M-17-06 – Policies for Federal Agency Public Websites and Digital Services. M-17-12 – Preparing for and Responding to a Breach of Personally Identifiable Information. Relevant NIST guidance includes: NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-63, Digital Identity Guidelines. NIST SP 800-88, Guidelines for Media Sanitization. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). The relevant Department of the Treasury directives and publications are: Treasury Directive Publication (TD P) 15-71, Treasury Security Manual. Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance. TD P 85–01, Treasury Information Technology (IT) Security Program. For a full listing of and links to privacy-related statutes, regulations, guidelines, OMB Memoranda, and other materials relevant to this IRM, see Exhibit 10.5.1-2, References. 10.5.1.2 (03-23-2018) Key Privacy Definitions To support the IRS mission, understanding the key privacy definitions in the following subsections is essential. 10.5.1.2.1 (09-24-2020) Privacy Lifecycle The concept of a privacy and information lifecycle refers to the creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal of SBU data (including PII and tax information), regardless of format. [OMB A-130] IRS personnel must protect SBU data (including PII and tax information) throughout the privacy lifecycle, from receipt to disposal. 10.5.1.2.2 (09-24-2020) Sensitive But Unclassified (SBU) Data Sensitive But Unclassified (SBU) data is any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act. For the full definition, refer to TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information. SBU data includes, but is not limited to: Tax information protected by IRC 6103), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, system information, enforcement procedures, investigation information. Live data, which is defined as production data in use. Live means that when changing the data, it changes in production. The data may be extracted for testing, development, etc., in which case, it is no longer "live" . Live data often contains SBU data (including PII and tax information); however, tax information remains tax information whether it is live in a production environment or is removed to a non-production environment. Note: For classified information, see IRM 10.9.1, National Security Information, for additional procedures for protecting classified information. All IRS personnel must protect SBU data. Personnel must restrict access, inspection, and disclosure of SBU data to others who have a need to know the information. [PVR-05] For more information on encryption and other protections, see the Practical Privacy Policy section in IRM 10.5.1.6. For more information, see the Need to Know section in IRM 10.5.1.2.8. Refer to the IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, sections on Access Controls and Least Privilege for information about limiting access to people who have a need to know the information. Refer to IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for the section, Access by IRS Employees Based on Need to Know. SBU data includes categories of protected information which many IRS personnel handle on a daily basis, such as PII and tax information. It also includes other categories, such as procurement (which can include general procurement and acquisition, small business research and technology, and source selection) and system information (which can include critical infrastructure categories like information systems vulnerability information, physical security, emergency management). Personnel must determine if the SBU data is necessary to do business (does it support the business purpose of the system or the organization’s mission?). If it does not serve a valid business purpose, then the IRS must not collect that SBU data. If that SBU data does serve a business purpose, then the IRS may use it throughout the privacy lifecycle appropriately. For more information, see the IRS Privacy Principles section in IRM 10.5.1.3.2. [Privacy Act; PVR-02; PVR-03] Complete a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system using SBU data. Refer to IRM 10.5.2, Privacy and Information Protection, Privacy Compliance and Assurance, for more information about PCLIAs. SBU data in a public record is still SBU data, however different protections apply. To determine if publicly available SBU data or SBU data in the public record is still sensitive, see the Public Record section in IRM 10.5.1.2.3.2. For more information on PII, see the Protecting and Safeguarding SBU Data and PII section in IRM 10.5.1.6.1. 10.5.1.2.2.1 (09-24-2020) Examples and Categories of SBU Data Some examples and categories of IRS SBU data include, but are not limited to: Personally Identifiable Information (PII) in this IRM refers to Privacy information and its subcategories. Specific categories might be discussed in more detail. These categories include: - Contract use. - Death records. - General privacy. - Genetic information. - Health information, also known as Protected Health Information (PHI). - Inspector General protected. - Military personnel records. - Personnel records. - Student records. Tax Information refers to a Tax category that includes: - Federal Taxpayer Information (FTI), which includes individual and corporate (or other business) tax return information under IRC 6103 . - Tax convention. - Taxpayer Advocate information. - Written determinations. Note: Tax information is also PII if it identifies an individual. Documents marked "Official Use Only" (OUO). Certain Procurement information, which can include: - General procurement and acquisition (such as contract proposals). - Small business research and technology. - Source selection. Financial information in the Finance category, including: - Bank Secrecy Act (31 U.S.C. Bank Secrecy Act protected reports filed by financial institutions). - Budget. - Retirement. - Electronic funds transfer. - General financial information. - International financial institutions. - Mergers. - Net worth. Criminal Investigation and Law Enforcement information, such as: - General Law Enforcement (procedures and training materials). - Informant (identification, activities, contacts, payments, and correspondence). - Investigation (identifiers, associations, and relationships; investigative records received from other law enforcement and regulatory agencies, foreign and domestic; records related to investigation related travel and financing). - Law Enforcement Financial Records (and other records obtained via witness consent, subpoena, summons, search warrant, or any other legal process). - Pen Register/Trap & Trace. - Reward (recipient and payment information). - Whistleblower Identity. (Refer to IRC 7623 or the Whistleblower Protection Act of 1989, Pub.L. 101-12 as amended. For more information, refer to IRM 25.2.1, Information and Whistleblower Awards, Receiving Information.) Case selection methodologies including tolerance criteria or general investigation parameters. Proprietary processes or algorithms used in investigative work or tax processing. Critical infrastructure category information, which includes: - Information system vulnerabilities information (referred to as system information in this IRM), which includes passwords. - Physical security information, such as details of facility vulnerabilities (entry codes, badge access, etc.). - Emergency management. Proprietary business information entrusted to the IRS. Confidential data to be released to the public at a later date. Legal information, including: - Administrative Proceedings. - Collective Bargaining. - Federal Grand Jury (18 U.S.C. Grand Jury information protected by Rule 6(e) of the Federal Rules of Criminal Procedure). - Legal Privilege (including draft, predecisional, and deliberative information). - Legislative Materials (including Congressional or state). 18 U.S.C. 1905 information protected under the Trade Secrets Act (trade secrets, processes, operations, style of work, or apparatus, or confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association). 10.5.1.2.2.2 (09-24-2020) Official Use Only and Limited Official Use By definition, documents designated as "Official Use Only" (OUO) and "Limited Official Use" (LOU) contain SBU data. For more information, see IRM 11.3.12, Disclosure of Official Information, Designation of Documents. 10.5.1.2.2.3 (09-24-2020) Freedom of Information Act (FOIA) and SBU Data The Freedom of Information Act (FOIA) exempts most SBU data from release to the public under one of the nine exemptions listed in 5 U.S.C. 552(b). However, the fact that the IRS must release certain information if requested under FOIA does not automatically remove its status as SBU data. [FOIA] For more information, see IRM 11.3.13, Freedom of Information Act. 10.5.1.2.3 (09-24-2020) Personally Identifiable Information (PII) Personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. [OMB A-130] For IRS purposes: To distinguish an individual is to identify an individual. For example, an individual might be distinguished by a passport identification number or Social Security Number (SSN). However, a list of credit scores without any other information concerning the individual does not distinguish the individual. To trace an individual is to process sufficient information to make a determination about a specific aspect of an individual’s activities or status, such as with an audit log. Linked information is information about or related to an individual that is logically associated with other information about the individual. Linkable information is information about or related to an individual for which there is a possibility of logical association with other information about the individual. [GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf ] The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. Personnel should know that non-PII can become PII whenever additional information becomes available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual. [NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII); OMB Memorandum M-10-23] See the Examples and Categories of PII section in IRM 10.5.1.2.3.1 for more information. Refer to the PGLD Disclosure and Privacy Knowledge Base on IRS Source. . Submit a PCLIA for any system using PII. Refer to IRM 10.5.2 for more information about PCLIAs. PII in a public record is still PII; however, different protections apply. To determine if publicly available PII or PII in the public record is still sensitive, see the Public Record section in IRM 10.5.1.2.3.2. For more information on PII, see the Protecting and Safeguarding SBU Data and PII section in IRM 10.5.1.6.1. 10.5.1.2.3.1 (09-24-2020) Examples and Categories of PII Examples and categories of PII include, but are not limited to: Name, such as full name, maiden name, mother’s maiden name, alias, or name control (first 4 letters of last name). Address information, such as street address or email address. A unique set of numbers or characters assigned to a specific individual, such as: 1. Telephone numbers, including mobile, business, and personal numbers. 2. SSN, including the last 4 digits. 3. Taxpayer identification number (TIN) that identifies an individual, such as an Employer Identification Number (EIN) for a sole proprietorship or partnership. 4. Document locator number (DLN) to identify an individual’s record. 5. Email or Internet Protocol (IP) address. 6. Driver’s license number. 7. Passport number. 8. Financial account or credit card number. 9. Standard Employee Identifier (SEID). 10. Automated Integrated Fingerprint Identification System (AIFIS) identifier, booking, or detention system number. 11. Universally Unique Identifier (UUID), a unique random number generated for each individual taxpayer in the electronic authentication process (eAuth). Employee and employee information, including personnel files, employment testing materials, medical information, and Americans with Disabilities Act (ADA) accommodations. Individual tax return information. Corporate or other business tax return information that identifies an individual, such as an S-Corporation, partnership, or sole proprietorship. Personal characteristics and data, including: 1. Date of birth. 2. Place of birth. 3. Age. 4. Height. 5. Weight. 6. Gender. 7. Hair color. 8. Eye color. 9. Race. 10. Ethnicity. 11. Scars. 12. Tattoos. 13. Distinguishing features. 14. Religious affiliation. 15. Sexual orientation. 16. Gang affiliation. 17. Photographic image (especially of face or other distinguishing characteristic). 18. Biometric information (such as x-rays, fingerprints, retina scan, voice signature, facial geometry, DNA). Asset information, such as Media Access Control (MAC) address, Device ID, or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people. Descriptions of events or times (information in documents, such as police reports, arrest reports, and medical records). Descriptions of locations, such as geographic information system (GIS), GPS data, and electronic bracelet monitoring information. Information identifying personally owned property, such as vehicle registration number or title number and related information. Exception: "Constitutionally Required Disclosures" — Some situations require disclosure of information, including SBU data, such as criminal cases where the IRS has a constitutional obligation to disclose, upon the defendant's request, evidence material either to guilt or punishment (exculpatory evidence). For more details, refer to IRM 11.3.35, Requests and Demands for Testimony and Production of Documents. Information about an individual that is linked or linkable to one of the above. 10.5.1.2.3.2 (09-24-2020) Public Record IRS personnel must protect SBU data regardless of whether the same information is in the public record or publicly available. However, less stringent protections might apply in some situations. Generally, personnel must encrypt SBU data (including PII). However, inside the IRS network, encryption is not required if the IRS proactively makes it available to all personnel on internal resource sites (including, but not limited to, Discovery Directory, Outlook [calendar, profile information, and address book], intranet, and SharePoint site collections), such as names, SEID, and business contact information. [NIST SP 800-122; [TD P 85-01, Appendix A, AC-20(3)_T.028, and MP-6(3)_T.124] Email addresses, by themselves as the method of the email conveyance, generally do not need encrypting. However, when combined with the content and attachments of an email, the email address may become SBU data. Encryption rules still apply for the body of emails and attachments. See the Email section in IRM 10.5.1.6.8 for more information on email. As for other SBU data and PII in the public record or publicly available, the requirements differ, depending on the information. Note: Tax information must always be protected under IRC 6103. No IRC 6103 public records exemption exists. However, the Information Which Has Become Public Record section of IRM 11.3.11, Other Information Available to the Public, discusses disclosure of matters that have become public records as a result of tax administration, such as court cases. This is referred to as the judicially created public records exception. Treasury security guidance exempts Treasury information made available proactively to the public from certain encryption controls. This implies another public records exception based on information the agency makes available to the public. [TD P 85-01, Appendix A, AC-20(3)_T.028, and MP-6(3)_T.124] The Public Information Listing (PIL) designated by OPM makes six items of information available to the public by FOIA request. These items include: [5 CFR 293.311] Employee name. Present and past position titles and occupational series. Present and past grades. Present and past annual salary rates (including awards or bonuses, etc.). Present and past official duty stations (no telework information). Position descriptions, identification of job elements, and certain performance standards (but not actual performance appraisals). However, OPM exempts release of information on employees in these sensitive positions: GS-0083, Police Officer GS-0512, Revenue Agent GS-0930, Appeals Officer GS-1169, Revenue Officer GS-1171, Property Appraisal and Liquidation Specialist GS-1801, General Inspection, Investigation and Compliance GS-1802, Compliance Inspection and Support GS-1805, Investigative Analyst GS-1810, General Investigating GS-1811, Special Agent IRS policy also authorizes the withholding of the public information items of employees in cybersecurity designated positions. Cybersecurity designated positions are not identified by a specific GS/IR series or position title. Personnel should exercise caution and consult with PGLD regarding any questions they might have about application of a public record exception, on a case-by-case basis, prior to reducing privacy protections based on a public record exception. To request assistance or for further information, email *Privacy. For more information, refer to IRM 11.3.13, Freedom of Information Act. 10.5.1.2.3.3 (09-24-2020) Defining PII versus Sensitive PII Little difference exists between PII and what personnel refer to as "sensitive" PII. As defined in the PII section in IRM 10.5.1.2.3, personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. [OMB A-130] The level of risk increases with the potential level of harm caused by exposed SBU data or PII. Context remains important. PII that does not seem high risk may still require protection if its context makes it risky. For example, a collection of names: Is not Sensitive PII if it is a list, file, query result, etc., of: - Attendees at a public meeting. - Names out of a public telephone book. - FOIA listing of IRS employees in non-protected positions. Is Sensitive PII if it is a list, file, query result, etc., of: - Individual taxpayers who filed returns. - Law enforcement personnel. - Employees with poor performance ratings. For more information, see the Deciding Risk Levels for SBU Data and PII section in IRM 10.5.1.6.1.1. 10.5.1.2.4 (09-24-2020) Federal Tax Information (FTI) The term tax information, or Federal Tax Information (FTI), refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC 6103. This law defines return information as any information the IRS has about a tax return or liability determination. This return information includes, but is not limited to, a taxpayer’s: Identity. Income, payments, deductions, exemptions, or credits. Assets, liabilities, or net worth. Tax liability investigation status (whether the IRS ever investigates or examines the return). Redacting, masking, truncating, or sanitizing tax information does not change its nature. It is still tax information. Tax information in IRS business processes comes under many names, such as FTI, IRC 6103-protected information, 6103, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII. The term "live data" should not be used to describe tax information, unless it is in a production environment as discussed in the Sensitive But Unclassified (SBU) Data section in IRM 10.5.1.2.2. Tax information is SBU data. IRC 6103 protects tax information from unauthorized disclosure. When tax information relates to an individual, that SBU data is also PII. [IRC 6103(b)(2)] Submit a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system using SBU data (including PII and tax information). Refer to IRM 10.5.2 for more information about PCLIAs. See these subsections in this IRM for more information: Protecting and Safeguarding SBU Data and PII, IRM 10.5.1.6.1. SBU data, IRM 10.5.1.2.2. PII, IRM 10.5.1.2.3. For more information about return information and a definition, refer to IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure. 10.5.1.2.5 (09-24-2020) UNAX The term UNAX defines the act of committing an unauthorized access or inspection of any tax information contained on paper or within any electronic format. An access or inspection is unauthorized if it is done without a management-assigned IRS business need. The IRS created the unauthorized access or inspection of tax information and records (UNAX) program to implement privacy protection and statutory unauthorized access and browsing prevention requirements. UNAX is governed by the Taxpayer Browsing Protection Act. For more information about UNAX, refer to IRM 10.5.5, RS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements. 10.5.1.2.6 (09-24-2020) Unauthorized Access of SBU Data While statutory UNAX (based on the Taxpayer Browsing Protection Act) refers to unauthorized access to tax information, unauthorized access to SBU data is governed by other statutes and by Treasury and IRS policy. [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information] The term unauthorized access of SBU data defines the act of committing an unauthorized access or inspection of any SBU data (not tax information) contained on paper or within any electronic format. An access or inspection is unauthorized if it is done without a management-assigned IRS business need. See Sensitive But Unclassified (SBU) Data, IRM 10.5.1.2.2, and Need to Know IRM 10.5.1.2.8. Refer to 18 U.S. Code 1030 - Fraud and related activity in connection with computers; 44 U.S. Code Chapter 35 (44 U.S.C. 3551-3558); and Privacy Act of 1974, 5 U.S.C. 552a. 10.5.1.2.7 (09-24-2020) Privacy Act Information The Privacy Act of 1974 (Privacy Act) forms the core of IRS privacy policy. It provides certain safeguards for an individual against an invasion of personal privacy by requiring federal agencies to: Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that ensures that such action is for a necessary and lawful purpose. Ensure that the information is current and accurate. Ensure that the information is for its intended use. Provide adequate safeguards to prevent misuse of such information. The Privacy Act applies to agency records retrieved by an identifier for an individual. The term "record" includes, but is not limited to, education, financial transactions, medical history, and criminal or employment history and that contains name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or a photograph. Privacy Act information is PII because it identifies individuals. Therefore, it is also SBU data. As with any other SBU data, disclosure must be restricted to persons authorized to have access to the information pursuant to the Privacy Act For more information on the Privacy Act, refer to IRM 10.5.6, Privacy Act. 10.5.1.2.8 (09-24-2020) Need To Know Restrict access to SBU data (including PII and tax information) to those IRS personnel who have a need for the information in the performance of their duties. The term "need to know" describes the requirement that personnel may access SBU data (including PII and tax information) only as authorized to meet a legitimate business need, which means that they need the information to perform their duties. See examples later in this section for explanations of how need to know applies to duties. Note: See Unauthorized Access of SBU Data, IRM 10.5.1.2.6, and UNAX, IRM 10.5.1.2.5. Personnel (including current employees, rehired annuitants, returning contractors, etc.) who change roles or assignments may access only the SBU data (including PII and tax information) for which they still have a business need to know to perform their duties. If they no longer have a business need to know, they must not access the information. This policy includes, but is not limited to, information in systems, files (electronic and paper), and emails, even if technology does not prevent access. Example: A compliance case has a litigation hold or similar request in place. An employee, even if in a new assignment, may retain and access old case files from their previous role if they need to retrieve them for a litigation hold or similar request. Example: A former employee now works for a vendor who has a contract with the IRS. The former employee may not access old files in email or on their laptop from their previous role with the IRS, even if those files are archived under their SEID. The IRS will provide any information necessary to perform the current contract on a need-to-know basis. Note: To determine applicability of employee duties, based on sensitivity of information, refer to the position description or contact Labor Relations. Personnel must ensure their own adherence to this need-to-know policy. This standard is less stringent than a "cannot function without it" test. For each use, personnel must consider whether they can perform their official duties properly, efficiently, or appropriately without the information. Necessary for official duties in this context does not mean essential or indispensable, but rather appropriate and helpful in obtaining the information sought. Personnel who have a need to know must be informed of the protection requirements under the law by management and must have an appropriate level of clearance through a background investigation, typically covered by the onboarding and training process. Need to know supports the "relevant and necessary" aspect of the Purpose Limitation Privacy Principle and the Privacy Act. It conveys the statutory restrictions to disclose protected information to those who have an authorized need for the information in the performance of their duties. The Strict Confidentiality Privacy Principle requires this, as does the NIST Privacy Control for Privacy Monitoring and Auditing and Security Controls in the Access Control family. [PVR-02; PVR-05; Privacy Act; IRC 6103 and 7803(a)(3); UNAX; Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance; AR-4; NIST 800-53] Access to classified national security information requires more stringent controls which are addressed in IRM 10.9.1, National Security Information. Refer to IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for information about Access by IRS Employees Based on Need to Know. 10.5.1.3 (09-24-2020) Key Privacy Concepts The IRS Privacy Principles and federally mandated Privacy Controls describe how the IRS protects an individual’s right to privacy. IRS Privacy Requirements (PVR), system requirements derived from IRS Privacy Principles and linked to the Privacy Controls, form the basis for privacy protection within the IRS. They mirror the IRS Privacy Principles and provide high-level privacy requirements applicable to the IRS Enterprise Architecture. Adherence to IRS Privacy Principles and Requirements is mandatory for management officials responsible for protecting SBU data (including PII and tax information). For a listing of the IRS Privacy Requirements, refer to the Enterprise Architecture site on IRS Source. 10.5.1.3.1 (09-24-2020) Privacy Controls The NIST Special Publication (SP) 800-53 (Rev. 4), Appendix J, outlines 26 privacy controls in eight (8) groups designed to protect privacy for the lifecycle of PII. These controls establish a relationship between privacy and security controls. OMB A-130 mandates implementation of NIST privacy controls. The IRS applies NIST privacy controls within its Privacy Principles and Privacy Requirements. See the IRS Privacy Principles section in IRM 10.5.1.3.2 to view the connections. ID Privacy Controls AP Authority and Purpose AP-1 Authority to Collect AP-2 Purpose Specification AR Accountability, Audit, and Risk Management AR-1 Governance and Privacy Program AR-2 Privacy Impact and Risk Assessment AR-3 Privacy Requirements for Contractors and Service Providers AR-4 Privacy Monitoring and Auditing AR-5 Privacy Awareness and Training AR-6 Privacy Reporting AR-7 Privacy-Enhanced System Design and Development AR-8 Accounting of Disclosures DI Data Quality and Integrity DI-1 Data Quality DI-2 Data Integrity and Data Integrity Board DM Data Minimization and Retention DM-1 Minimization of Personally Identifiable Information DM-2 Data Retention and Disposal DM-3 Minimization of PII Used in Testing, Training, and Research IP Individual Participation and Redress IP-1 Consent IP-2 Individual Access IP-3 Redress IP-4 Complaint Management SE Security SE-1 Inventory of Personally Identifiable Information SE-2 Privacy Incident Response TR Transparency TR-1 Privacy Notice TR-2 System of Records Notices and Privacy Act Statements TR-3 Dissemination of Privacy Program Information UL Use Limitation UL-1 Internal Use UL-2 Information Sharing with Third Parties The IRS conducts privacy continuous monitoring through its comprehensive privacy program. [OMB A-130] 10.5.1.3.2 (09-24-2020) IRS Privacy Principles The public trusts the IRS and its personnel to protect taxpayer privacy and safeguard confidential tax information. The IRS is dedicated to meeting this expectation. All IRS personnel are required to conduct their actions in a way that reflects a commitment to treat individuals fairly, honestly, and respectfully, and protect their right to privacy at all times. [OMB A-130] Protecting taxpayer privacy and safeguarding confidential tax information is a public trust. To maintain this trust, the IRS and its personnel must follow these privacy principles: Accountability Purpose Limitation Minimizing Collection, Use, Retention, and Disclosure Openness and Consent Strict Confidentiality Security Data Quality Verification and Notification Access, Correction, and Redress Privacy Awareness and Training The IRS derived the privacy principles from the Fair Information Practice Principles (FIPPs) and the Privacy Act. IRS Policy Statement 1-1 reflects these principles in the Policy Statements for Organization, Finance and Management Activities section of IRM 1.2.1, Servicewide Policies and Authorities – Policy Statements for Organization, Finance and Management Activities. 10.5.1.3.2.1 (09-24-2020) Accountability [PVR-01] All IRS personnel are responsible and accountable for the effective implementation of privacy protections. [PVR-01] Related NIST 800-53 Privacy Controls include, but are not limited to: Accountability, Audit and Risk Management: 1. AR-1: Governance and Privacy Program 2. AR-2: Privacy Impact and Risk Assessment 3. AR-3: Privacy Requirements for Contractors and Service Providers 4. AR-4: Privacy Monitoring and Auditing 5. AR-6: Privacy Reporting 6. AR-8: Accounting of Disclosures 10.5.1.3.2.2 (06-15-2016) Purpose Limitation [PVR-02] PII will be collected and used only when necessary and relevant for legitimate IRS purposes, namely tax administration and other authorized purposes. [PVR-02] Related NIST 800-53 Privacy Controls include, but are not limited to: Authority and Purpose: 1. AP-1: Authority to Collect Use Limitation: 1. UL-1: Internal Use 2. UL-2: Information Sharing with Third Parties 10.5.1.3.2.3 (06-15-2016) Minimizing Collection, Use, Retention, and Disclosure [PVR-03] The collection, use, retention, and disclosure of PII will be limited to what is minimally necessary for the specific purposes for which it was collected, unless specifically authorized. [PVR-03] Related NIST 800-53 Privacy Controls include, but are not limited to: Authority and Purpose: 1. AP-2: Purpose Specification Accountability, Audit and Risk Management: 1. AR-7: Privacy-Enhanced System Design and Development Data Minimization and Retention: 1. DM-1: Minimization of Personally Identifiable Information 2. DM-2: Data Retention and Disposal 3. DM-3: Minimization of PII used in Testing, Training and Research 10.5.1.3.2.4 (06-15-2016) Openness and Consent [PVR-04] The IRS will make its privacy policies and practices readily available to individuals, such that individuals will be informed of the collection, use, retention, and disclosure of their PII, and will obtain individuals’ consent to the greatest extent practicable. [PVR-04] Related NIST 800-53 Privacy Controls include, but are not limited to: Individual Participation and Redress: 1. IP-1: Consent Transparency: 1. TR-1: Privacy Notice 2. TR-2: System of Records Notices and Privacy Act Statements 3. TR-3: Dissemination of Privacy Program Information 10.5.1.3.2.5 (09-24-2020) Strict Confidentiality [PVR-05] PII will only be accessed by or disclosed to authorized individuals who require the information for the performance of official duties. Browsing of confidential information, including PII, by unauthorized IRS personnel will not be tolerated. Protected information includes confidential information of all individuals, not just taxpayers. Protected information includes, but is not limited to, confidential information of IRS employees, volunteers, practitioners, and other individuals who interact with the IRS. [PVR-05] Related NIST 800-53 Privacy Controls include, but are not limited to: Accountability, Audit and Risk Management: 1. AR-4: Privacy Monitoring and Auditing Use Limitation: 1. UL-1: Internal Use 10.5.1.3.2.6 (06-15-2016) Security [PVR-06] Appropriate administrative, technical, and physical safeguards will be provided to protect against the unauthorized collection, use, and disclosure of SBU data, including PII. [PVR-06] Related NIST 800-53 Privacy Controls include, but are not limited to: Data Quality and Integrity: 1. DI-2: Data Integrity and Data Integrity Board Security: 1. SE-1: Inventory of Personally Identifiable Information 2. SE-2: Privacy Incident Response 10.5.1.3.2.7 (06-15-2016) Data Quality [PVR-07] Requirements governing the accuracy, completeness, and timeliness of PII will be to ensure fair treatment of all individuals. Information will be collected, to the greatest extent practicable, directly from the individual to whom it relates. [PVR-07] Related NIST 800-53 Privacy Controls include, but are not limited to: Data Quality and Integrity: 1. DI-1: Data Quality 10.5.1.3.2.8 (06-15-2016) Verification and Notification [PVR-08] All information about individuals will be verified with the individual, as well as any other relevant sources, to the greatest extent possible before adverse action is taken based on that information. Individuals will be notified prior to final action to the greatest extent possible. [PVR-08] Related NIST 800-53 Privacy Controls include, but are not limited to: Data Quality and Integrity: 1. DI-2: Data Integrity and Data Integrity Board 10.5.1.3.2.9 (06-15-2016) Access, Correction, and Redress [PVR-09] Individuals will be able to access and correct their PII upon request to the maximum extent allowable. Individuals include, but are not limited to, taxpayers, IRS employees, IRS contractors, practitioners, and others who interact with the IRS. Individuals will be able to contest determinations made based on allegedly incomplete, inaccurate, or out-of-date PII to the maximum extent allowable. [PVR-09] Related NIST 800-53 Privacy Controls include, but are not limited to: Individual Participation and Redress: 1. IP-2: Individual Access 2. IP-3: Redress 3. IP-4: Complaint Management 10.5.1.3.2.10 (09-24-2020) Privacy Awareness and Training [PVR-10] IRS personnel will be made aware of, and appropriately trained, in the proper treatment of SBU data, including PII. [PVR-10] Related NIST 800-53 Privacy Controls include, but are not limited to: Accountability, Audit and Risk Management: 1. AR-5: Privacy Awareness and Training 10.5.1.4 (09-24-2020) IRS-Wide Privacy Roles and Responsibilities The IRS implements privacy roles and responsibilities for personnel in accordance with federal laws and privacy guidelines. 10.5.1.4.1 (09-24-2020) Employees/Personnel IRS personnel (as defined in the Audience section in IRM 10.5.1.1.2) must: Keep informed of and adhere to applicable IRS privacy policies and procedures. Limit access to records containing SBU data. Use SBU data only for the purposes for which it was collected, unless other purposes are legally mandated or authorized. Limit the disclosure of SBU data to that which is necessary and relevant for tax administration and other legally mandated or authorized purposes. Prevent unnecessary access, inspection, and disclosure of SBU data in information systems, programs, electronic formats, and hardcopy documents by adhering to proper safeguarding measures. Safeguard IRS information and information systems entrusted to them. Use IRS email accounts for performance of official duties. Follow existing IT Security Policy on use of IRS-furnished equipment to process IRS information, not personally-owned or non-IRS furnished equipment (including cloud or web-based systems or services). Refer to the AC-20 Use of External Information Systems and Personally-Owned and Other Non-Government Furnished Equipment sections of IRM 10.8.1. Complete IRS annual and role-based privacy, information protection, and disclosure training requirements, UNAX awareness briefings, and all other specialized privacy training, as required. Immediately complete Form 11377-E, Taxpayer Data Access, to document the access of taxpayer return information when the accesses are not supported by direct case assignment, were performed in error, or when the access may raise a suspicion of an unauthorized access. Stay aware of the consequences of UNAX violations, including accessing their own records, those of coworkers, family, friends, celebrities, and other covered relationships. For information regarding the IRS-wide UNAX program and links to all UNAX forms, refer to the UNAX site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. Report a data loss, theft, or improper disclosure of sensitive information immediately upon discovery of the loss to: 1. Their manager and 2. The appropriate organizations based on what was lost or disclosed. Note: For more information on reporting an incident, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. IRS personnel must follow privacy and security responsibilities outlined in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities. 10.5.1.4.2 (09-24-2020) Management In addition to the Employee/Personnel responsibilities, Management must also: Clearly communicate IRS privacy policies and procedures to all personnel in their organizations, ensuring awareness of their responsibilities to protect SBU data (including PII and tax information) and uphold applicable privacy laws, regulations, and IRS policies and procedures. Ensure personnel with authorized access to SBU data receive training to carry out their roles and responsibilities in a manner consistent with IRS privacy policies. [OMB A-130] Ensure all personnel in their respective organizations comply with the IRS privacy policies and procedures. Also ensure any noncompliance is addressed and remedied promptly, including, if necessary, the initiation of penalties for noncompliance in accordance with federal law and IRS personnel rules and regulations. Take a proactive role in preventing UNAX violations in their respective areas. Ensure all personnel are trained and knowledgeable of the Taxpayer Browsing Protection Act of 1997, the consequences of UNAX violations for personnel, and that all personnel within their business area complete all IRS UNAX, privacy, information protection, and disclosure training requirements annually and as required for their position. Ensure proper safeguards are established to prevent unintentional exposure to SSNs in cases where SSN use is determined to be necessary. Ensure the SEID is used as the primary employee identifier as an alternative use for SSNs when possible. Ensure PCLIAs, for which they are the responsible official, are completed timely and mitigate any privacy risks discovered. Follow IRS records management requirements outlined in IRM 1.15.7, Records and Information Management, Files Management. Ensure all personnel report a data loss, theft, or improper disclosure of sensitive information immediately upon discovery of the loss to: 1. Their manager and 2. The appropriate organizations based on what was lost or disclosed. Note: For more information on reporting an incident, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.4.3 (09-24-2020) Senior Management/Executives In addition to the Employee/Personnel and Management responsibilities, Senior Management/Executives must also: Coordinate with the Chief Privacy Officer (CPO) to develop, implement, maintain, and enforce a program to protect all SBU data (including PII and tax information) for which they are responsible in accordance with IRS privacy policies and procedures. [OMB A-130] Focus special emphasis on the government-wide requirements to eliminate the unnecessary collection and use of SSNs as a personal identifier for employee and tax systems and programs. [OMB A-130] Periodically assess and evaluate privacy awareness activities of their organization in order to set clear expectations for compliance with all requirements. Allocate sufficient resources to comply with IRS privacy policies and procedures. [OMB A-130] Ensure IRS-wide, alternative unique identifiers are used for internal and taxpayer systems and programs in place of SSNs when possible. Note: To deviate from privacy policy, follow the Risk Acceptance Form and Tool (RAFT) process. The executive or other senior official with the authority to formally assume responsibility for the process must sign the RAFT as the approver. The RAFT clearly documents business decisions in the context of risk appetite and/or acceptance. Submit the RAFT to PPKM for review for compliance with privacy laws and regulations. PPKM will not grant exceptions to bypass laws or mandates. Submit RAFT review requests via email to *Privacy (give topic name in subject line and add Attn: CPO RAFT review). For RAFT guidance, refer to the Office of the Chief Risk Officer. 10.5.1.4.4 (09-24-2020) System Owners In addition to the Employees/Personnel responsibilities, IRS system owners must: Follow applicable laws, regulations, and IRS privacy policies and procedures in the development, acquisition, implementation, operation, and disposal of all systems under their control. Ensure that the use of SBU data (including PII and tax information) throughout the privacy lifecycle is limited to that which is minimally necessary for tax administration purposes or other legally authorized purposes. Examine the use of SSNs in all information systems and programs, as well as hardcopy and electronic formats (for example, forms, printouts, screenshots, displays, electronic media, archives, and online storage repositories) and eliminate the unnecessary use of SSNs where identified. Ensure that adequate SSN alternatives are employed, as necessary. Ensure, to the extent possible, that SBU data used by the IRS to complete business functions is accurate, relevant, timely, and complete. Ensure that all new systems, systems under development, or systems undergoing major modifications that contain SBU data have in place a completed and approved PCLIA in accordance with federal laws and IRS policy. Work with Privacy Compliance and Assurance (PCA) to ensure that approved PCLIAs for systems that contain SBU data or PII on the public are reviewed for redaction prior to being posted to IRS.gov. Coordinate with the system developer and PCA to ensure identified privacy risks are documented in their Plans of Action and Milestones (POA&Ms) and are resolved in a timely manner. Coordinate all inter-agency PII sharing agreements with PGLD’s Governmental Liaison, Disclosure, and Safeguards (GLDS) and other affected IRS entities that establish and monitor the sharing of PII with external entities. Implement safeguards to establish and monitor internal and third party agreements for the protection of SBU data and to ensure the confidentiality of SBU data. Ensure that IRS personnel involved in the management, operation, programming, maintenance, or use of IRS information systems complete IRS UNAX and privacy, information protection and disclosure training prior to being granted access to those systems containing SBU data. Ensure that IRS personnel who have access to SBU data for testing follow the requirements of IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the SBU Data Policy page on the Disclosure and Privacy Knowledge Base on IRS Source. Follow IRS records management requirements outlined in IRM 1.15.7, Records and Information Management, Files Management. 10.5.1.4.5 (03-23-2018) System Developers In addition to the Employees/Personnel responsibilities, System Developers must: Follow IRS privacy policies and procedures in the development, implementation, and operation of information systems for which they are responsible, including reviews of the use of SSNs by IRS systems. Work closely with system owners to eliminate the unnecessary collection and use of SSNs in all IRS systems. Develop information systems that provide the capability to partially mask, truncate, or redact the SSN when the total elimination of the use of SSNs is not possible in both personnel and tax systems. Work with system owners to eliminate unnecessary accessing, collecting, displaying, sharing, transferring, retaining, and using of the SSNs in personnel and tax systems. Establish, maintain, and test the management, operational, and technical controls to protect SBU data (including PII and tax information). Complete system PCLIAs in concert with system owners and in accordance with IRS policy, if they are the responsible management official or designees. Coordinate with the system owners and PCA to resolve identified privacy risks. Perform system lifecycle reviews to ensure satisfactory resolution of privacy risks and provide the results to the system owners. 10.5.1.4.6 (09-24-2020) Authorizing Officials In addition to the Employee/Personnel and Management responsibilities, the Authorizing Official (AO) must develop and maintain additional operational documentation (such as action and implementation plans, standard operating procedures) necessary for implementation of the privacy controls, delineated in the IRM 10.5 series. Note: To deviate from privacy policy, follow the Risk Acceptance Form and Tool (RAFT) process. The executive or other senior official with the authority to formally assume responsibility for the process must sign the RAFT as the approver. The RAFT clearly documents business decisions in the context of risk appetite and/or acceptance. Submit the RAFT to PPKM for review for compliance with privacy laws and regulations. PPKM will not grant exceptions to bypass laws or mandates. Submit RAFT review requests via email to *Privacy (give topic name in subject line and add Attn: CPO RAFT review). For RAFT guidance, refer to the Office of the Chief Risk Officer. The AO holds responsibility for implementation of privacy, including documentation and procedures for how their information systems are managed, administered, and monitored. 10.5.1.4.7 (09-24-2020) Personnel Engaged in Procurement Activities In addition to the Employee/Personnel responsibilities, personnel engaged in procurement-related activities must: Review and understand the appropriate procurement-related training and guidance, including the Contracting Officer Representative (COR) Security, Privacy, and Disclosure Awareness Training. Note: For more information, see the Contractors section in IRM 10.5.1.6.14 and refer to IRM 11.3.24. Ensure all IRS acquisitions and contract vehicles contain appropriate language holding contractors and other service providers accountable for complying with federal and IRS privacy policies and procedures. Insert the necessary contract clauses in all acquisitions and procurement documents generated in support of any contract or agreement involving access to SBU data (including PII and tax information). This includes, but is not limited to, clauses specific to SBU data, IRC 6103, the Privacy Act, and Non-Disclosure Agreements. To find the appropriate contract clauses, refer to Contractor Compliance page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source or the Procurement site. Ensure contract work statements specifically identify the appropriate System of Records Notice (SORN) when Privacy Act information is a part of the research, design, development, testing, or operation work to be performed. Review contract requirements to determine whether the contract will involve access to SBU data (including PII and tax information), or the design, development, or operation of a SORN on individuals to accomplish an IRS function. Ensure compliance with the Federal Acquisition Regulations (FAR). For more information, refer to the FAR site:https://www.acquisition.gov/browse/index/far Support the appropriate level of contractor background investigation in cooperation with the Office of Contractor Security Management (CSM) and Office of Personnel Security (PS) as described in IRM 10.23.2, Personnel Security – Contractor Investigations. This includes working with PS to assign the correct risk designations (often Moderate for access to SBU data), assist with contractor fingerprinting if needed, as well as identity card distribution. Contractors may need to be re-investigated every five years; the COR is responsible for initiating re-investigations. Note: Any staff-like access (facilities, systems, or SBU data) requires completion of a favorable suitability/fitness determination (background investigation) conducted by IRS Personnel Security. For more information about staff-like access, refer to IRM 10.23.2. Ensure contractors take required security, privacy, disclosure, and UNAX training and complete Non-Disclosure Agreements (NDAs) within the required time frames per CSM instructions. Ensure any contract involving the use of SBU data for testing follows the requirements of IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the SBU Data Policy page on PGLD’s Disclosure and Privacy Knowledge Base on IRS Source. Ensure contractors receive and understand the PCLIA when supporting a project with a PCLIA. In some cases, contractors might need to work with the IRS to complete the required PCLIA. Before "developing or procuring information technology that collects, maintains, or disseminates" SBU data (including PII and tax information), the IRS must complete a PCLIA. [E-Government Act] Ensure the contractor understands incident response requirements. All incidents related to IRS processing, information, or information systems must be reported immediately upon discovery to the CO and COR. Report security incidents to CSIRC by contacting the CSIRC Support Desk at 240-613-3606. Refer to the IR-6 Incident Reporting section in Pub 4812. Report UNAX by a contractor to TIGTA and Procurement. Collaborate with CSM at contract closeout to ensure system and facilities accesses are revoked and all IRS data is returned or purged as required by the contract. Email Privacy Policy for assistance with these responsibilities at *Privacy. For more information, see the internal Procurement site on IRS Source. [OMB A-130, AR-3] 10.5.1.5 (03-23-2018) Privacy Culture The IRS requires a privacy culture, wherein all personnel think about privacy before taking action. In such an environment or culture, protecting privacy guides the day-to-day practices and routines of each individual. Throughout the privacy lifecycle, consider whether the use of SBU data (including PII and tax information) meets all the IRS Privacy Principles. Note: One approach might be to ask if you would want your information treated in this way. The IRS has programs to promote a privacy culture. 10.5.1.5.1 (09-24-2020) Clean Desk Policy The IRS’s Clean Desk Policy and containerization objectives are designed to address the protection of SBU data (including PII and tax information) throughout the privacy lifecycle. The Clean Desk Policy requirements apply to data left out in work areas (including those in telework and offsite locations) and non-secured containers, on credenzas, desk tops, fax/copy machines, conference rooms, and in/out baskets. [TD P 15-71; PVR-01, PVR-05, PVR-06] All SBU data (including PII and tax information) in non-secured areas must be containerized during non-duty hours. Protected data must be locked in containers in areas where non-IRS personnel have access during non-duty hours and/or when not under the direct control of an authorized IRS employee. For additional information, refer to the Containers section in IRM 10.2.14, Methods of Providing Protection. For some pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers, the volume of the tax information processed and the disruption to these operations might prevent containerization and Clean Desk implementation. Clean Desk Waivers are required for these areas. Clean Desk Waiver requirements are: Waivers are restricted to pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers. The request must be justified and not just a matter of convenience. Requests for exemption must be approved at the Executive level of the business unit making the request via Form 14617, Clean Desk Waiver Request and Checklist. The Clean Desk Waiver request must be forwarded by the business unit to PGLD for approval via email to *Privacy. Facilities Management and Security Services (FMSS) will conduct the physical onsite reviews, with assistance from PGLD Records Management as necessary. Exemptions citing voluminous files will not be granted until a review is conducted by FMSS and PGLD. Items identified as requiring Special Security (SP) can not be exempted from the Clean Desk Policy. For additional guidance, see IRM 10.2.15, Minimum Protection Standards (MPS). Requests must demonstrate a layered security plan that affords the campuses and the computing centers a higher level of protection to accommodate the processing operation. The request for waiver must be submitted annually as required. Submission Processing activity may complete one waiver request for each campus, computing center, or other POD, but will not receive blanket waivers for any entire facility. 10.5.1.5.2 (09-24-2020) Privacy in Practice (PiP) IRS Privacy in Practice includes protecting privacy in systems and safeguarding privacy in everyday business practices. All IRS activities should contain an element of privacy. A culture of privacy prevails through Privacy in Practice; from systems development to customer service, training, communications, passwords, and the Clean Desk Policy. PGLD Privacy Policy and Compliance (PPC) employees serve as privacy advocates and consultants for IRS personnel and projects. Designing privacy into projects is a key aspect of effective privacy policy and compliance at the IRS. This concept reflects the principle that organizations best achieve privacy goals when they weave privacy proactively into business processes and operational practices. To be effective, privacy principles must be introduced early in a project lifecycle, in architecture planning, system design, and the development of operational procedures. Invite PPC privacy employees whenever necessary at all project stages. Refer to Privacy in Practice Quick Reference Guide (Document 13291) To request assistance or for further information, email *Privacy. Refer to the Enterprise Architecture site on IRS Source. 10.5.1.6 (09-24-2020) Practical Privacy Policy These sections describe privacy policy in terms of common issue areas. Many of these areas interrelate with each other, physical protection, and IT security practices. For more information, refer to the PGLD Disclosure and Privacy Knowledge Base on IRS Source. For additional help, email *Privacy. 10.5.1.6.1 (09-24-2020) Protecting and Safeguarding SBU Data and PII Regardless of the risk, IRS personnel must protect and safeguard SBU data (including PII and tax information). This means personnel must properly use SBU data throughout the privacy lifecycle. The following requirements stem from TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information. IRS personnel must be aware and comply with safeguarding requirements for SBU data. Personnel must also be aware that divulging SBU data without proper authority could result in administrative or disciplinary action (including termination of contract). The lack of an SBU marking does not mean the information is not sensitive nor does it relieve the creator or holder of such information from responsibility to appropriately safeguard the information from unauthorized use or inadvertent disclosure. Personnel must take steps to prevent the possibility of such disclosure by non-IRS personnel. Personnel must deny unauthorized non-IRS personnel access to other than those areas which have been established for serving the public. Personnel must follow the IRS Clean Desk Policy in IRM 10.5.1.5.1. IRS officials who use SBU data are responsible for determining how long the information must be protected, for example, either by date or lapse of a determinable event. IRS security officials must provide routine oversight of measures in place to protect SBU data through a program of routine administration and day-to-day management of their information security program. IRS supervisors and program managers are responsible for personnel being trained to recognize and safeguard SBU data supporting their mission, operations, and assets. Supervisors and managers must also ensure an adequate level of education and awareness is maintained by affected personnel. Education and awareness must begin upon initial personnel assignment and annually reinforced through mandatory training, staff meetings, or other methods/media contributing to an informed workforce. IRS personnel must protect SBU data supporting their mission, operations, and assets. Protection efforts must focus on preventing unauthorized or inadvertent disclosure and especially when visitors enter areas where SBU data is handled, processed, discussed, or stored. This includes being aware of surreptitious and accidental threats posed by high-end communications technologies carried/used by personnel and visitors, such as cell phones (with or without photographic capability), personal data assistants/digital assistants, smart devices, Internet of Things (IoT), portable/pocket computers, cameras, and other video imaging recorders, flash drives, multi-functional, and two-way pagers, and wireless devices capable of storing, processing, or transmitting information. IRS program managers and contracting officials must also require appropriate privacy and security contract clauses for personnel, facilities, and information protection through the acquisition process of contracts or grants that concern access to SBU data. 10.5.1.6.1.1 (09-24-2020) Deciding Risk Levels for SBU Data and PII If SBU data (including PII and tax information) is lost, compromised, or disclosed without authorization, it could result in substantial harm, embarrassment, inconvenience or unfairness to an individual or the IRS. Harm includes any adverse effects experienced by an individual whose PII was compromised, or adverse effects to the IRS such as a loss of public confidence. The greater the potential for harm, the more at risk the SBU data becomes. As outlined in NIST SP 800-122: PII with a low confidentiality level means limited potential harm with minor impact on an individual or the IRS. Low confidentiality level SBU data would include, for example, information that can be released under FOIA requests, or information that has become public record or is publicly available. For more information, see FOIA and SBU Data, IRM 10.5.1.2.2.3, and Public Record, IRM 10.5.1.2.3.2. The SEID is an example of low risk PII. PII with moderate or high confidentiality levels means the potential harm ranges from serious to severe or catastrophic, with significant to severe impact to an individual or the IRS. Tax information is an example of high risk PII. The greater the risk to SBU data, the stronger the privacy and security protections become. [OMB A-130, NIST SP 800-122] For example, moderate and high risk SBU data require encryption, but publicly available low risk SBU data might not need encryption. When in doubt about the level of risk of SBU data (including PII and tax information), or the privacy concerns around the data, email *Privacy for assistance. For more information about publicly available information, see the Public Record section in IRM 10.5.1.2.3.2. For more information on the IT aspects of data security, refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance. 10.5.1.6.1.2 (09-24-2020) Limiting Sharing of SBU Data and PII All SBU data (including PII and tax information) must be protected. What SBU data may be shared is limited. [PVR-02, PVR-05; UL-2: Information Sharing with Third Parties] Information designated as SBU must be orally, visually, or electronically disseminated in such manner to avoid access by unauthorized persons. Precautions might include preventing visual access and restricting oral disclosure to designated individuals. SBU data may be reproduced on regular office copiers to the extent needed to carry out official business. Flawed or otherwise unusable reproductions must be destroyed via shredding or placement in burn bags. See the Disposition and Destruction section in IRM 10.5.1.6.9. Follow extensive Disclosure rules in the IRM 11.3 series, Disclosure of Official Information. Internally: Only share SBU data (including PII and tax information) with other IRS personnel if the recipient’s need for the information is related to his or her official duties. The electronic transmission of SBU data (including PII and tax information) requires encryption for security purposes. See the Encryption section in IRM 10.5.1.6.2 for more information. Release of tax information (whether of an individual or business) is restricted by the confidentiality provisions of IRC 6103(a). Share tax information only with authorized individuals following established written procedures. Note: Removing identifying information (i.e., Name/TIN) from specific tax records does not remove it from the confidentiality protections of IRC 6103. Externally: Only share SBU data (including PII and tax information) with authorized individuals outside of IRS, in encrypted files, if all these conditions are met: Individual authorized to receive it under law or regulation, such as IRC 6103. Authority may be established by a formal request for information processed using established written procedures, or a memorandum of understanding or executed agreement which also establishes the secure method of transmission for the data. Note: Keep agreements in an approved database/program, such as IRS Agreement Database (IAD). For more information about the IAD, see the Governmental Liaison (GL) section in IRM 10.5.1.7.12. Recipient need for the information related to official duties. Recipient authenticated. Recipient accepted information and any obligation to protect. Access controls limited to those with need to know. The applicable System of Records Notice (SORN) includes the use as a published routine use. Refer to the section on SORNs on the PGLD Disclosure and Privacy Knowledge Base on IRS Source and IRM 10.5.6 , Privacy Act. Refer to the IRM 11.3 series (Disclosure of Official Information) or email *Disclosure for additional guidance. 10.5.1.6.1.3 (09-24-2020) Extracting SBU Data (Including PII and Tax Information) IRS personnel must not create unauthorized, unnecessary, or duplicative hardcopy or electronic collections of SBU data (including PII and tax information), such as duplicate, ancillary, shadow, personal copies, or "under the radar" files. [PVR-03] If creating new spreadsheets or databases containing SBU data (including PII and tax information) from a larger file or database is necessary, consider whether a PCLIA is required. To do so, submit a Qualifying Questionnaire (QQ), or email *Privacy. For more information on the QQ and PCLIA process, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program. 10.5.1.6.2 (09-24-2020) Encryption Encryption is an important tool in the IRS’s protection of SBU data (including PII and tax information). [OMB A-130, PVR-06] For more details about emailing and encrypting SBU data, see the Email section in IRM 10.5.1.6.8. 10.5.1.6.2.1 (09-24-2020) External Protect all SBU data (including PII and tax information) processed, stored, or transmitted outside the IRS with IT-approved encryption methods, unless specifically excluded in the IRM. This includes, but is not limited to, SBU data in email, removable media (such as USB drives), on mobile computing devices, and on computers and mobile devices. IRS IT-approved encryption methods include, but are not limited to, Symantec Endpoint Encryption Removable Storage (SEERS, formerly known as GERS, Guardian Edge Removable Storage), password-protected SecureZip, and secure messaging via Outlook. Note: Different policies apply for emails to taxpayers and representatives, other stakeholders, those with IRS accounts, and personal email. For more information and requirements about emailing outside the IRS, see Emails to Taxpayers and Representatives, IRM 10.5.1.6.8.1, Emails to Other External Stakeholders, IRM 10.5.1.6.8.2, Emails to IRS Accounts, IRM 10.5.1.6.8.3, and Emails with Personal Accounts, IRM 10.5.1.6.8.4, Email section in IRM 10.5.1.6.8. See the Virtual Library for more information about encrypting documents, emails, and email attachments on the Encryption page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. Refer to specific requirements in these IRMs: IRM 1.15 series, Records and Information Management. IRM 10.2 series, Physical Security Program. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Cryptographic Protection, Access Control, Media Protection, and Physical and Environmental Protection sections. 10.5.1.6.2.2 (09-24-2020) Internal Within the IRS, protect all SBU data (including PII and tax information) with encryption and/or access controls, limiting access only to approved personnel with a need to know. Within the IRS network, emails can be encrypted using the Secure Enterprise Messaging System. Note: See the Public Record section in IRM 10.5.1.2.3.2, for more information about publicly available information. Refer to specific data encryption requirements in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Encryption, Access Control, Media Protection, and Physical and Environmental Protection sections. 10.5.1.6.2.3 (09-24-2020) Attachment Encryption Instructions Refer to the SecureZip and SEERS (formerly GERS) brochures in the Encryption page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. Instructions for using SecureZip and SEERS (formerly GERS) to encrypt attachments also are available on the FindIT site on IRS Source. 10.5.1.6.3 (09-24-2020) Computers and Mobile Computing Devices Any SBU data (including PII and tax information) on a computer (such as a server, desktop, or mobile computing device [such as a laptop, tablet, smartphone, etc.]) must be protected, locked (such as a screen saver), secured physically, and kept within sight and/or control. IRS personnel must use encryption, access controls, and physical security measures as appropriate for the equipment and setting. For example, computers on IRS sites (federal facilities, contractor’s offices, or rented areas) must follow the appropriate Physical Security Program policies or contractual requirements. In addition, IRS personnel must not use mobile devices in public settings in such a way as to expose SBU data (including PII and tax information). To the extent possible, position any computer or device screen displaying IRS SBU data (including PII and tax information) so that non-authorized personnel cannot view the data. Protect equipment. Securely lock computers (such as a server, desktop, or mobile computing device [such as a laptop, tablet, smartphone, etc.]) or other equipment (such as flash drives, CDs, external drives) when left unattended, whether in the office, in the home, or in a hotel room. Use the IRS-provided cables and cable locks to secure laptops when working in regular work space (worksite), working out of the office, or in travel status. For more information about secured wireless access points (wi-fi hotspots), refer to the Telework section in IRM 10.5.1.6.11 and the AC-18 Wireless Access section in IRM 10.8.1, Information Technology (IT) Security Policy and Guidance. 10.5.1.6.4 (09-24-2020) Data Loss IRS personnel must prevent SBU data loss throughout the privacy lifecycle. If such a loss occurs: Immediately upon discovery of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document containing sensitive information, IRS personnel must report the incident to his or her manager and the appropriate organizations based on what was lost or disclosed. [OMB A-130] For a brief description of the Incident Management program, see the Incident Management section in IRM 10.5.1.7.15. For more information about how to report an incident, refer to IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.6.5 (09-24-2020) Marking The Treasury Security Manual [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information] requires that information designated as SBU data (including PII and tax information) and requiring such marking must be distinctly labeled so persons authorized access are readily aware of its sensitivity. IRS-specific marking requirements are also addressed in IRM 11.3.12, Designation of Documents. The lack of SBU markings, however, does not relieve the holder from safeguarding responsibilities. Unmarked SBU information already in records storage does not need to be removed, marked, and restored. However, when individual items are temporarily removed from storage that have no markings (and are subsequently deemed to be SBU), those will be appropriately marked to reflect the correct status as SBU before being re-filed. Items containing SBU information will be prominently marked at the top/bottom of the front/back cover and each individual page with the marking "SENSITIVE BUT UNCLASSIFIED" or "SBU" . Information system prompts may be adjusted to incorporate SBU markings in headers and footers. Portions, paragraphs, and subject titles containing SBU information will be marked with the abbreviation "SBU" to differentiate it from the remaining text. Only when the entire text contains SBU information are individual portion markings optional. Controlling, decontrolling, or originator information markings are not required. When sent outside IRS, SBU information documents will include a statement alerting the recipient in a transmittal letter or directly on the document containing SBU information, for example: "This document belongs to the IRS. It may not be released without the express permission of (creating office). Refer requests and inquiries for the document to: (insert name and address of originating office and contact number(s))" . Protective measures start when markings are applied and end when such markings are cancelled or the records are destroyed. Although SBU is Treasury’s standard for identifying sensitive information, some types of SBU information might be more sensitive than others and warrant additional safeguarding measures beyond the minimum requirements established herein. Certain information might be extremely sensitive based on repercussions if the information is released or compromised – potential loss of life or compromise of a law enforcement informant or operation. IRS and its personnel must use sound judgment coupled with an evaluation of the risks, vulnerabilities, and the potential damage to personnel or property/equipment as the basis for determining the need for safeguards in excess of the minimum requirements contained herein. A green Sensitive But Unclassified (SBU) Cover Sheet, Other Gov TDF 15-05.11, , must be placed on documents that contain SBU material to prevent unauthorized or inadvertent disclosure when SBU information is removed from an authorized storage location and persons without a need-to-know are present or casual observation would reveal SBU information. When forwarding SBU information, place a SBU cover sheet inside the envelope and on top of the transmittal letter, memorandum, or document. When receiving SBU or equivalent information from another U.S. Government agency, handle it in accordance with the guidance provided by the other U.S. Government agency. Where no guidance is provided, handle it in accordance with IRS policy as described herein. 10.5.1.6.6 (09-24-2020) Storage For storage of SBU data (including PII and tax information), refer to IRM 10.8.1 about limiting access to need-to-know personnel and for encryption requirements. For storage of federal records, refer to IRM 1.15 series, Records and Information Management. For managers handling employee performance files (EPFs), refer to the sections: Maintaining Tax Return Information in Employee Performance Files section in IRM 11.3.22. Employees in Critical Job Elements in IRM 6.430.2, Performance Management, Performance Management Program for Evaluating Bargaining Unit and Non Bargaining Unit Employees Assigned to Critical Job Elements (CJEs). Performance Management Program for Evaluating Managers, Management Officials and Confidential Management/Program Analysts in IRM 6.430.3, Performance Management, Performance Management Program for Evaluating Managers, Management Officials and Confidential Management/Program Analysts. 10.5.1.6.7 (03-23-2018) Transmission SBU data (including PII and tax information) transmitted from one location to another must be provided adequate safeguards. Refer to the Transporting Documents section of IRM 11.3.1. 10.5.1.6.7.1 (09-24-2020) Field and Travel If IRS personnel carry SBU data (including PII and tax information) in connection with a trip or in the course of daily activities, they must keep it with them to the extent possible. If SBU data (including PII and tax information) must be left in an automobile while traveling between work locations or between work and home, lock it in the trunk. If the vehicle does not have a trunk, conceal the material from plain view and secure it in some manner. When not in transit, data must be secured in an approved work location (office, approved and securable telework location, or approved taxpayer site in IRS-approved lockable containers). Note: In either case, lock the vehicle and leave the material unattended for only a short period. If the SBU data (including PII and tax information) must be left in hotel or motel room, lock it in a briefcase and conceal it to the extent possible. Caution: Do this as a last resort as a hotel or motel room is usually not a good location to leave tax information. If SBU data (including PII and tax information) is being moved from one building to another (even within the same fence line) or one location to another even if it is a short distance, take necessary steps to protect the information from unauthorized disclosure, loss, damage or destruction. Field employees might have sensitive information needing protection while temporarily stored at the taxpayer's site. Sensitive tax information (such as agent's work papers, original returns, examination plans, probes, fraud data, etc.) housed at the taxpayer's site must be stored in a container under the control of the responsible IRS employee. Note: If possible, use an IRS-furnished security container. If necessary, use a taxpayer-furnished container, but modify the taxpayer-furnished container (such as with bars and locks) so that the IRS is assured that the taxpayer cannot access the container. During duty-hours, the tax information must be under the personal custody of the IRS employee if it is not properly secured in approved containers. If a lockable and suitable container cannot be provided, tax information will not be left at the taxpayer's site. For more information about how to protect taxpayer location when using GPS and location services, see Global Positioning Systems (GPS) and Location Services section in IRM 10.5.1.6.10. 10.5.1.6.7.2 (03-23-2018) Mail When sending SBU data by mail within the U.S. and Territories (serviced by United States Postal Service [USPS]): Place SBU data in a single opaque envelope/container. Seal it to prevent inadvertent opening and to reveal evidence of possible tampering. Clearly identify the complete name and address of the sender and intended recipient or program office on the envelope/container. Note: SBU data may be opened and examined by mail room personnel in the same manner in which other incoming mail is evaluated and determined to be safe for internal delivery. SBU data must be mailed by USPS First Class Mail. Use of express mail services or commercial overnight delivery service is authorized, as warranted. When sending SBU data to offices Overseas: If serviced by a military postal facility (i.e., APO/FPO), mail SBU data directly to the recipient. Where the overseas office is not serviced by a military postal facility, send the information through the Department of State’s (DOS’s) unclassified diplomatic pouch. Coordinate in advance with DOS officials to ensure delivery at the final destination meets Treasury/IRS needs and DOS schedule for such deliveries. 10.5.1.6.7.3 (09-24-2020) Shipping IRS personnel must follow proper data protection procedures when shipping PII. Letters and packages containing PII that weigh less than 13 ounces may be mailed via United States Postal Service (USPS). These packages do not require double packaging and double labeling. Packages containing PII that weigh 13 ounces or more must be shipped through a private delivery carrier. If the package contains PII and is being shipped through a private delivery carrier, the sender must follow the procedures included below for properly double packaging, double labeling, and tracking the shipment, including the use of Form 3210, Document Transmittal. Exception: Mail to Post Office Boxes must continue to be sent via USPS. When shipping PII through private delivery carrier, the use of UPS CampusShip is mandatory at all locations except Campus locations and offices serviced by a FMSS contract mailroom. UPS CampusShip is an Internet-based shipping system that can be accessed from any location that has Internet access. UPS CampusShip has been rolled out across the country to IRS field offices that are not serviced by a FMSS contract mail room. Training material can be found in the following UPS CampusShip documents: Document 12888, UPS CampusShip: Electronic Shipping Methods. Document 12889, UPS CampusShip: Advanced Features. CampusShip allows employees to: Generate labels electronically. Secure current IRS address information from corporate address repository to improve accuracy of delivery. CampusShip features a Corporate Address Book which contains addresses for over 700 IRS locations; this improves accuracy of delivery since addresses are current. Track packages via the Internet to easily verify their shipments arrived at the intended destination and to quickly identify a missing shipment, reducing the likelihood that PII could be lost or exposed to an unauthorized individual. Packages containing PII must be double-packaged and double-labeled prior to shipping. Double-packaging helps ensure the contents are protected if the outer package is damaged or destroyed during the shipping process. Duplicate shipping labels allow the contents to be properly delivered without potential disclosure if the external package is damaged or destroyed. Caution: Shrink wrapping the external packaging or wrapping the external packaging in paper does not satisfy double packaging requirements. Employees shall evaluate the size of the PII shipment to be sent and identify appropriate packing materials. The appropriate type of internal and external packaging depends upon the size and weight of the package to be shipped. Use the smallest size packaging possible to reduce shipping costs and ensure minimal shifting of contents during shipment. The sender must also determine whether to ship via ground service or express (Overnight and Second Day Air) services: Ground service should be used for shipping whenever possible. Ground service should always be the first choice; use express services only when absolutely necessary. There is no requirement that PII must be mailed via express services. For distances up to 500 miles, the regular ground service offered by the small package or motor freight carriers (depending on weight of shipment) can deliver your shipment within one or two days. For ground shipments, the business operating divisions provide the packaging material. Express Services are generally the fastest mode of transportation available, but are also much more expensive. This mode should only be used when transit time requirements are very short and the urgency of the shipment outweighs the additional costs involved; for example, remittances, statute cases, tax court cases, etc. Small package carrier provided packaging (carrier branded envelopes and boxes) can only be used for express services and are provided at no cost. The sender must prepare Form 3210, Document Transmittal, identifying the package contents for all packages containing PII. For easier tracking, the sender may include the small package carrier tracking number in the "Remarks" area of Form 3210 on Part 4 (sender’s copy). If the sender is using the small package carrier's web-based system to electronically generate shipping labels, the tracking number is immediately available on the pre-printed shipping label. If the sender is using a contract mailroom, the sender should complete the sender's email address section of Form 9814, Request for Mail/Shipping Service: The mailroom must enter this email address when preparing the shipping label, and the small package carrier must send an email to the sender providing the tracking number. The sender can then place the tracking number on Part 4 of Form 3210 for proper record keeping. Caution: According to current instructions, SSNs appearing on Form 3210 should be redacted to show only the last four digits. Do not include the full SSN on Form 3210. Securely package the PII by placing the contents and the properly completed Form 3210 in an appropriately sized internal package. The sender retains Part 4, Sender's copy, of Form 3210 and includes Part 1, Recipient’s copy, and Part 3, Acknowledgement copy, with the shipment. When possible, when sending the package to a specific individual, the sender may choose to notify the recipient via email, phone, or other method prior to shipment that the package containing PII is being sent. The sender may also choose to send an electronic PDF version of Form 3210 via secure email to the intended recipient so the recipient is aware of the expected shipment. Internal packaging may include any of the following: An envelope: an E-20, Confidential Information envelope, is acceptable for this purpose. A plastic bag: should be sturdy enough to support the weight of the contents without tearing; should be black, green, or a similar color so the contents are not readable through the plastic bag. Note: This is recommended as the easiest and most cost effective method for double packaging large case file shipments. A small box: an undamaged smaller box that fits within the external shipping box. Label the internal package with the following information: Send To Address, including Mail Stop and/or Drop Point Number, if applicable. Return Address, including Mail Stop and/or Drop Point Number, if applicable. Sender's phone number. Small Carrier tracking number, if available. The sender may use a copy of the exterior small package carrier shipping label for the internal label. If using a small package carrier web based shipping system to label packages, print two copies of the generated label and attach one to the internal package. If using a hardcopy small package carrier shipping document to label packages, photocopy the original form and attach it to the internal package. If using Form 9814 prepare an internal label with the required information. A copy of Form 9814 can also be included with the internal label. Place the properly labeled, packaged, and sealed internal package into the external package. External packaging materials may include: Envelope: For shipping smaller case files and documents via ground service, use an IRS issued non-confidential envelope (E-44; minimum size 9 ½” X 12”). Use an envelope or padded pack provided by the Small Package Carrier only when time constraints require shipping via express services. Box: Use an undamaged box specifically designed for shipping. Choose a box strength that is suitable for the size and weight of the contents you are shipping. For shipping smaller packages up to 10 pounds, use a small box ordered from an office supply vendor for ground shipments. Use boxes provided free of charge by the small package carrier only when time constraints require shipping via express services. For shipments over 10 pounds, the external box should be a suitable flap top, corrugated cardboard box rated with a bursting strength to support the contents. Never exceed the maximum gross weight for the box, which is usually printed on the box maker's certificate on the bottom flap of the box. Note: A standard Shipping Record Box (size 14.75” X 12” X 9.5”) that is used to retire files meets this requirement. If possible, use the Shipping Record Box Sleeve as the external packaging. File boxes used for Federal Record Center storage, combined with a sleeve box, will have a bursting strength exceeding 125 pounds per square inch and will be more than adequate for most ground shipments. Caution: Used copy paper boxes and other boxes with lids do not meet this requirement; boxes with lids can get caught on conveyer belts and damage or destroy the shipment. Whenever possible, use a new box; however undamaged packaging materials may be re-used to ship PII. Only reuse a box if it is rigid and in good condition with no punctures, tears, rips, or corner damages, and all flaps are intact. Remove any existing labels and all other shipment markings if a box is being reused. If appropriately sized packaging is not available, use cushioning material inside the package so the contents do not move or shift when the package is shaken. Cushioning material should consist of materials that are readily available, and they can be re-used. It is not necessary to purchase prefabricated materials specifically designed to cushion packages for this purpose. Examples of cushioning material include non-confidential paper, shredded administrative paper, obsolete forms, newspaper, and/or commercially purchased Styrofoam peanuts, air bags, etc. Place the cushioning material around the items in the box. Close and shake the box to see whether you have enough cushioning material; add more cushioning material if you hear or feel the contents shifting. External packaging material shall not be marked or labeled with information indicating that package contents include sensitive information. Packages can still be marked as "time sensitive" or "process immediately" as applicable to ensure documents are processed timely. Labels that indicate sensitive contents include, but are not limited to: "Remittance" labels indicating package contents contain remittances. Labels indicating package contents contain case files or re-files; an acceptable alternative method would be to indicate "Sort and Sequence" . Note: Do not remove references to IRS from an envelope since it is necessary to include IRS on Return Address and Send To Address labels to ensure that the package is delivered to the intended location if any of the address information is incorrect. Seal the package with strong clear shipping tape that is two inches or more in width. Do not use string, paper over-wrap, shrink wrap, and/or plastic straps. Place the shipping label on the top of the package and ensure it is properly adhered and will not separate from the box. Do not place the label over a seam or closure or on top of sealing tape since this could cause it to be damaged or removed from the package. The sender shall be responsible for monitoring the delivery of the shipment. Employees should follow their organization’s established time frames for Form 3210 acknowledgement follow-up. Where there is no established time frame in an individual organization, the follow-up action should take place in three business days for overnight shipments and ten business days for ground shipments. Once the shipment is received, the recipient will verify the contents were received and sign the acknowledgment copy of the Form 3210. The recipient will return the Form 3210 acknowledgement to the sender using secure email (electronic or scanned copy), fax, or mail. If the SSN was not redacted as required on the Form 3210, redact all but the last four digits of the SSN prior to returning it to the sender. After receiving the acknowledgement copy, the sender will associate it with the original Form 3210. Note: No further action is required if the Form 3210 acknowledgment is received. If the Form 3210 acknowledgement isn't received within the established time frame, the sender should access the small package carrier's website to track the shipment to determine if it was delivered successfully. The tracking number should have been included on Form 3210 when the shipping labels were prepared or after the number was received from the carrier if Form 9814 was used. If the tracking information indicates the package was delivered, the sender must call the intended recipient to confirm actual receipt of the package. If the recipient did receive the package, ask the recipient to complete and return the Form 3210 Acknowledgement. If the recipient didn’t receive the package, the package is considered lost within the IRS facility and the sender must follow the procedures for reporting a loss of hardcopy documents. The intended recipient should also initiate a search in their IRS facility when the carrier shows an individual signed for the package. If the tracking information indicates the package was not successfully delivered, the sender should closely monitor the tracking information for up to 48 hours (2 business days) after the anticipated delivery date for air services and up to 72 hours (3 business days) after the anticipated delivery date for ground services. If the package is not delivered within these time frames, the package is considered lost and the sender should follow the procedures for reporting a loss of hardcopy documents. Immediately upon discovery of identifying a package is lost, report the loss according to IRM 10.5.4. Refer to the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. Managers shall perform, at a minimum, quarterly audits of the Form 3210 Acknowledgement process for packages containing PII to ensure appropriate follow-up is occurring. This procedure will allow IRS managers the opportunity to validate that PII senders are following up on Form 3210 Acknowledgments within defined time frames so that lost shipments are identified quickly. This reduces the likelihood that the PII could be exposed to an unauthorized user. Local management must determine the proper follow-up time frame as part of the manager’s operational review. Form 3210 must be maintained in accordance with the existing record retention schedule for each Business Unit. For more information, refer to the PII Hardcopy Shipping page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.6.7.4 (09-24-2020) Faxing Protect faxed SBU data (including PII and tax information) as with any other transmission of SBU data. Use secure encrypted email internally, if possible, as an alternate way to send SBU data, instead of using a stand-alone fax machine. Scan, encrypt, and internally email documents containing SBU data. Do not email taxpayers or their representatives. See the Email section in IRM 10.5.1.6.8 for more information. If the information must be faxed, do not send SBU data to a fax machine without contacting the recipient to arrange for its receipt. When transmitting SBU data via fax, use Enterprise Electronic Fax (EEFax) as the preferred method of faxing documents. Refer to IRS Electronic Fax System section of IRM 21.2.3, Systems and Research Programs, Transcripts, or the EEFax site on IRS Source. For more information on securely faxing documents, refer to the Facsimile Transmission of Tax Information section of IRM 11.3.1 and the Facsimile and Facsimile Devices and AC-20 Use of External Information Systems - Control Enhancements sections of IRM 10.8.1. 10.5.1.6.7.5 (09-24-2020) Printing Protect printed documents with SBU data and follow the IRS Clean Desk Policy in all work locations (including field and telework). Minimize the printing of SBU data to what is explicitly necessary. Properly store and dispose of printed materials. See Storage, IRM 10.5.1.6.6, and Disposition and Destruction IRM 10.5.1.6.9. Use only IRS-furnished (not personally owned) printers. Refer to the AC-20 Use of External Information Systems and Personally-Owned and Other Non-Government Furnished Equipment sections of IRM 10.8.1. 10.5.1.6.7.6 (09-24-2020) Phone When communicating SBU data (including PII and tax information) via phone, IRS personnel must: Confirm speaking to an authorized person before discussing the information. Inform the person that the forthcoming discussion will include sensitive information. Refer to the section Methods for Communication of Confidential Information in IRM 11.3.2, Disclosure to Persons of Material Interest. 10.5.1.6.7.7 (09-24-2020) Text Messaging (Texting) IRS personnel must not use text messaging (texting) for official business. Refer to the Preserving Electronic Messages section of IRM 1.15.6, Managing Electronic Records. Refer to the Telecommunication Devices section of IRM 10.8.1. 10.5.1.6.7.8 (09-24-2020) Electronic Electronic transmission addresses uploading or downloading, secure file transfer, file sharing, peer-to-peer (P2P), firewall rules, collaborative technology and systems, and blacklisted sites. For more information about securing electronic transmissions, refer to those key words in IRM 10.8.1 and the CSIRC Firewall Rule Set Configuration Management section in IRM 10.8.54, Information Technology (IT) Security, Minimum Firewall Administration Requirements. For more information about secure emailing, see the Email section in IRM 10.5.1.6.8. 10.5.1.6.7.9 (03-23-2018) Information Privacy During Office Moves When moving an office or material, make plans to protect and account for all SBU data (including PII and tax information), as well as government property. Consider the relevant factors of the move (such as the distance involved and the method to be used in making the move). Keep SBU data in locked cabinets or sealed packing cartons while in transit. Maintain accountability to ensure that cabinets or cartons do not become misplaced or lost during the move. Take precautions commensurate with the type and value of property and data involved. 10.5.1.6.8 (09-24-2020) Email IRS personnel must use IRS email accounts to conduct IRS official business. (TD P 85-01) The Protecting Americans from Tax Hikes (PATH) Act of 2015, Section 402, Division Q of the Consolidated Appropriations Act of 2016 reads: No officer or employee of the Internal Revenue Service may use a personal email account to conduct any official business of the government. Note: This policy applies to IRS officers, employees, and contractors alike, as noted in the Audience section in IRM 10.5.1.1.2. Law enforcement employees must refer to their divisional or law enforcement manuals for special rules. Manage emails used for business communications as IRS records. IRS personnel hold a legal responsibility to protect all IRS SBU data (including PII and tax information) entrusted to us by taxpayers, fellow personnel, and other individuals. For more information about emailing outside the IRS, see the following subsections in this IRM for policy about taxpayers and representatives, other external stakeholders, IRS accounts, and personal email. Note: Different policies apply for emails to taxpayers and representatives, other stakeholders, those with IRS accounts, and personal email. For more information and requirements about emailing outside the IRS, see Emails to Taxpayers and Representatives, IRM 10.5.1.6.8.1, Emails to Other External Stakeholders, IRM 10.5.1.6.8.2, Emails to IRS Accounts, IRM 10.5.1.6.8.3, and Emails with Personal Accounts, IRM 10.5.1.6.8.4. When authorized to email SBU data, encrypt SBU data in emails using IRS IT-approved encryption technology. Do not include SBU data (including PII or tax information, such as name control) in the email subject line. Caution: Encryption methods do not encrypt the subject line or the header (email address information). Note: See Emails to Taxpayers and Representatives in IRM 10.5.1.6.8.1 for subject line and header requirements. IRS IT-approved encryption technology includes: Internal email (within the IRS network): Microsoft Outlook’s Secure Enterprise Messaging System (SEMS), which is secure email certificate encryption. External email (outside the IRS network):Password-protected encrypted attachments or previously authorized secure email certificate encryption, for example, see the LBI Secure Email program site. Refer to IRM 10.8.52, Information Technology (IT) Security, IRS Public Key Infrastructure (PKI) X.509 Certificate Policy, for more information about secure email certificate encryption. Attachments: SecureZip password-protected encrypted attachments, or Symantec Endpoint Encryption Removable Storage (SEERS, formerly known as Guardian Edge Removable Storage, GERS) encrypted attachments. Note: Methods such as SecureZip and SEERS only encrypt the attachment, not the body of the email or the address or subject information. These methods do not encrypt the channel or authenticate the recipient, which is why this method is not allowed for emails with taxpayers and their representatives. For those requirements, see Emails to Taxpayers and Representatives in IRM 10.5.1.6.8.1. Refer to these IRMs for additional policy: IRM 1.10.3, Standards for Using Email. IRM 1.15.6, Managing Electronic Records. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, (in the Electronic Mail Security and Use of External Information Systems sections). IRM 10.8.27, Personal Use of Government Furnished Information Technology Equipment and Resources. IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure (in the Electronic Mail and Secure Messaging section). 10.5.1.6.8.1 (09-24-2020) Emails to Taxpayers and Representatives Do not send emails containing SBU data (including PII and tax information) to taxpayers or their authorized representatives, even if requested, because of the risk of improper disclosure or exposure. Note: Special rules apply to personnel in previously approved secure email programs, such as LBI and Chief Counsel employees. See the LBI Secure Email program site on IRS Source and the Chief Counsel Directives Manual for more information. When taxpayers request email contact and accept the risk of such, limited allowable situations without risking unauthorized disclosure of SBU data include: Message sent under a previously authorized privacy- and IT-approved secure email program (rare). For example, see the LBI Secure Email program site on IRS Source. Brief, unencrypted message confirming the date, time, or location of an upcoming appointment, but not the nature of the appointment. Include no SBU data (including PII and tax information, such as name control) in the email, subject line, or attachment. Permit no follow-up email discussion of any taxpayer account or case. Link to the publicly available forms and publications sections of IRS.gov. Avoid sending information about specific tax matters (revenue rulings, court cases, and specific IRS forms), which might unintentionally disclose the nature of a tax matter to an unauthorized third party. When responding to unsolicited emails from taxpayers or tax professionals, respond by letter or phone; if address or phone number not available, respond by email. IRS personnel must: Delete any SBU data (including PII and tax information) appearing in the original email. Some examples of phrases to watch for are "my situation" or "my information." Discourage the taxpayer from continuing the discussion by email. Sample response: To ensure your privacy, we discourage you from sending your personal information to us by email. Further, IRS doesn’t allow its personnel to exchange unencrypted personally identifiable or other sensitive information with email accounts outside of the IRS network, even with your permission. For further discussion about the matters included in your original email, please contact us by telephone, fax, or mail. 10.5.1.6.8.2 (09-24-2020) Emails to Other External Stakeholders Do not email SBU data (including PII and tax information) to other external stakeholders unless specifically authorized. Refer to IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure. Send SBU data (including PII and tax information) through password-protected encrypted attachments or through a previously authorized privacy- and IT-approved secure email program. For example, see the LBI Secure Email program site. Email SBU data (including PII and tax information) outside the IRS in encrypted, password-protected attachments or secure email only when: Individual authorized to receive it under law or regulation, such as IRC 6103. Authority may be established by a formal request for information processed using established written procedures, or a memorandum of understanding or executed agreement which also establishes email as the secure method of transmission for the data. Recipient need for the information related to official duties. Recipient authenticated. Recipient accepted information and any obligation to protect. Access controls limited to those with need to know. The applicable System of Records Notice (SORN) includes the use as a published routine use. Refer SORN page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. Adherence to policy in the IRM 11.3 series, Disclosure of Official Information. See Emails to Taxpayers and Representatives in IRM 10.5.1.6.8.1 when receiving emails from external parties that contain SBU data (including PII and tax information). Interact with applicants or prospective contractors by email only to answer questions about their information, qualifications, or administrative matters; minimize the exposure of their personal information (such as PII). For those who must provide IRS with their SBU data (such as PII) to facilitate a business arrangement, ask them to fax, mail, or upload their SBU data to a secure system, such as USAJobs. 10.5.1.6.8.3 (09-24-2020) Emails to IRS Accounts IRS personnel must use IRS email for email communications with other IRS personnel about official business matters. They must encrypt all internal email messages that contain SBU data (including PII and tax information) with IT-approved encryption, which includes secure messaging or password-protected encrypted attachments. For contractors, when provided with an IRS workstation as part of a contract, they must use their IRS workstation and account for all official communication (e.g., email, instant messaging). Refer to the Contractor section of IRM 10.8.2, IT Security Roles and Responsibilities. 10.5.1.6.8.4 (09-24-2020) Emails with Personal Accounts No officer, employee, or contractor of the IRS may use a personal email account to conduct any official business of the government. Three limited allowable circumstances include: Personal Information – IRS personnel may send their own SBU data (including their PII and their tax information) to or from their personal email accounts, as long as it is in a password-protected encrypted attachment. Examples may include, but are not limited to: - Personnel forms or records. - Financial records being used to prepare an OGE Form 450 or OGE Form 278 or other form for financial reporting related to the job. - Records needed for a personal transaction. - Job application, resume, self-assessment or appraisal. - Health records or fitness for duty information. - Travel itinerary (by adding personal email address for ConcurGov notifications related to their own travel, not approvals for others). Exception: The encryption policy does not apply to a person’s own PII that the IRS proactively makes available to all employees on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information [including profile photos], and address book), intranet, and SharePoint site collections [including profile photos]), such as names and business contact information. Training or publicly available information – IRS personnel may transmit non-case-related content, including links, to and from themselves when IT Security constraints prevent access. Examples of this include online training or meetings, such as webinars and seminars, as well as publicly available information (including public profile photos or business photos intended for publication with permission of pictured individuals). Exigent circumstances, such as in emergencies. This includes when the IRS network is down and there is an urgent need to communicate or in disaster recovery situations. Refer to IRM 10.8.60 and IRM 10.8.62. Limit SBU data to that necessary for the situation. Examples may include, but are not limited to: - Reporting for work. - The condition or availability of the workplace. - An emergency situation. - The well-being of IRS personnel. Note: In all instances, personnel must copy an IRS email account at the same time to ensure they retain a record of the communication in the IRS email system for transparency and information management purposes. For further guidance, refer to: Frequently asked questions (FAQs) on email scenarios (right side of the PGLD Disclosure and Privacy Knowledge Base on IRS Source). The Email section of the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.6.8.5 (09-24-2020) Limited Exceptions to Email SBU Data Encryption The general rule for encrypting SBU data (including PII and tax information) in emails reflects the IRS’s priority to protect sensitive information from unauthorized disclosure causing a risk of loss or harm to individual privacy or to IRS data. Having evaluated business needs in relation to potential risk, the following limited exceptions regarding external emails are appropriate: Subject line of case-related emails to the Department of Justice 1. When IRS personnel communicate with the Department of Justice regarding established cases, personnel may include the case name and filing number in the subject line of those emails. If the full name is not part of the case name, then do not use the full name. 2. This information fits within the judicially created public records exception to IRC 6103, recognized in most jurisdictions. Refer to IRM 11.3.11.12, Information Which Has Become Public Record, for more information on the public records exception. 3. However, if the body of an email or any attachment contains additional SBU data, IRS personnel must encrypt both the email and attachment using IT-approved technology (such as certificate encryption). Emails generated to taxpayers by approved online applications 1. The IRS online applications may issue emails to taxpayers, without encryption, when the messages contain only incidental information (such as name and email address) and are for e-authentication purposes, or to inform a user that a secure message is available for viewing on the IRS website. 2. This exception is limited to the following circumstances: a. The email is automatically generated by an approved IRS application developed by or in conjunction with the Office of Online Services, and b. The taxpayer consented to these notices by completing the application’s enrollment process. During this enrollment process, the taxpayer must have received clear notice of the IRS’s intent to send such notices via email. IRS employees sending their personal SBU data via encrypted email attachment 1. IRS employees may choose to send their personal SBU data outside the IRS via an attachment encrypted with SecureZip or SEERS (formerly GERS). Use SecureZip to send one or more encrypted files, or use SEERS to send a single encrypted file. 2. Employees must send this information only if the attachment(s) is encrypted and contains only their personal SBU data. Personal SBU data is information pertaining only to an individual employee. 3. This exception does not include IRS usernames and passwords. 4. Refer to the SecureZip and SEERS (formerly GERS) brochures in the Encryption page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 5. Instructions for using SecureZip and SEERS to encrypt attachments also are available on the FindIT site on IRS Source. 6. To open a SecureZip file on an external computer, the receiving computer must have SecureZip installed. SecureZip is a commercial product that can be purchased through the manufacturer’s website (free trials are available). Mobile users can obtain the free SecureZip Reader app for both iOS and Android platforms. To open a SEERS file on an external computer, it must run a Windows operating system. Emergency emails by Facilities Management and Security Services (FMSS) 1. Where significant incidents (as defined in IRM 10.2.8, Incident Reporting) occur, and FMSS employees need to supply law enforcement entities with detailed information, but cannot do it expediently by phone, they may use unencrypted email to send the necessary details, including SBU data. 2. FMSS employees must make every effort to minimize the amount of SBU data within those messages (for example, no SSNs). 10.5.1.6.8.6 (09-24-2020) Surveys by Email Special rules apply when transmitting customer satisfaction or other surveys by email. For details on the Survey process, refer to IRM 10.5.2 . 10.5.1.6.9 (09-24-2020) Disposition and Destruction Documents with SBU data (including PII and tax information) must be destroyed by properly shredding, burning, mulching, pulping, or pulverizing beyond recognition and reconstruction. Ensure IRS records (hardcopy and electronic), including those containing PII, are managed appropriately and in accordance with the Records Control Schedules (RCS) Document 12990 and General Records Schedules (GRS) Document 12829 to prevent unlawful/unauthorized destruction of records. Note: An approved Form 11671, Certificate of Records Disposal for Paper or Electronic Records, is required prior to destruction of any original federal records. Refer to IRM 1.15.3, Records and Information Management, Disposing of Records. For destruction requirements for the different types of media (hardcopy, electronic, etc.), including shredding specifications, refer to the MP-6 Media Sanitization section in IRM 10.8.1 and follow NIST SP 800-88, Guidelines for Media Sanitization. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information] Note: If the sources for the requirements conflict, use the most stringent requirements. While PGLD owns this policy, FMSS owns the Secure Document Destruction (SDD) program. Refer to the FMSS SDD program site on IRS Source. Waste material (hardcopy, electronic, etc.) with SBU data must be placed in locked receptacles specifically marked for sensitive information (shred material, burn, sensitive, etc.). This includes material shredded with non-compliant equipment that does not meet Treasury requirements cited in (1) above. Sensitive waste material must not be discarded in regular trash bins. The guidelines provided below must be followed in order to ensure the proper destruction of sensitive waste material. Note: Bring all SBU data for destruction into the office for proper disposition, including that shredded with non-compliant equipment. Exception: Burn bags/shred boxes for Temporary Storage. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information] Managers and Contracting Officer Representatives (CORs) will periodically review work areas to ensure that sensitive waste material is being discarded in an appropriate manner. CORs will conduct periodic unannounced inspections at the off-site contractor facilities (including cloud service providers) where sensitive IRS information or data is handled. Results of these inspections will be documented, including identification of any privacy or security issues, and documented verification that the contractor has taken appropriate corrective actions on any privacy or security issues observed and/or identified. Exception to locked receptacles requirement: Burn bags/shred boxes for Temporary Storage SBU data to be destroyed may be torn and placed in sealedopaque containers commonly know as burn bags/shred boxes (or classified waste containers) so that the sensitive information is not visible. Burn bags/shred boxes awaiting destruction must be protected while in the employee’s custody. Burn bags/shred boxes must only be collected and contents destroyed by cleared contractor personnel or facilities maintenance personnel, and/or persons authorized by IRS privacy or security officials. Burn bags/shred boxes may also be stored within a Sensitive Compartmented Information Facility (SCIF) or security-approved open storage area pending collection by authorized personnel. Burn bags/shred boxes that are located outside a SCIF or open-storage area must not be left unattended at any time. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information] The fact that material has been identified for destruction does not change the requirement to provide appropriate protective measures. Waste material with SBU data must be provided the protection equal to that required by the most protected item. This material may include, but is not limited to, extra copies, photo impressions, microfilm, printouts, computer tape printouts, IDRS printouts, notes, work papers, or any other material containing tax information which has served its purpose. Policy and procedures for sanitization and disposal of digital media (magnetic media, diskettes, hard disks, or other storage devices, etc.) containing sensitive information can be found in IRM 10.8.1. Disposition and destruction of tax information must be in accordance with the Records and Information Management IRM 1.15.2, Types of Records and Their Life Cycle, IRM 1.15.3, Disposing of Records, and IRM 1.15.6, Managing Electronic Records. Although IRS personnel might know the proper methods of destroying tax data, management must reinforce this knowledge by including document destruction as a topic in orientation sessions, periodic group meetings, and other awareness sessions. Unshredded sensitive information may be turned over to a contractor provided the contract includes necessary safeguards that will ensure compliance with IRC 6103(n) requirements, provides for periodic safeguard reviews, and includes language describing methods of collection, pick-up, storage, and disposition. In the event tax information media is to be collected and destroyed by an independent contractor, to preclude the necessity of having an IRS employee present during destruction, the contract must include the safeguard provisions required by IRC 6103(n) and regulations therein. The provisions of the contract must allow for IRS inspection of the contractor facility and operations to ensure the safeguarding of IRS information. Waste material must be maintained in a secured (locked) container in a secured area to prevent sensitive information from unauthorized disclosure or access. Note: The only exception to this policy is for pipeline activities subject to a Clean Desk Policy waiver. See the Clean Desk Policy section in IRM 10.5.1.5.1. There may be areas or activities where the volume of paper documents containing tax information is sufficient to make it more practical to destroy all documents in the area of activity. 10.5.1.6.9.1 (09-24-2020) Recycling Tax information or other sensitive information may not be placed in regular recycling containers, but must be placed in secured containers and must be clearly marked. The preferred approach is that sensitive information be segregated and shredded in accordance with guidelines contained in Disposition and Destruction, IRM 10.5.1.6.9, prior to turning it over to the recycler. Another method is to have IRS personnel observe the destruction of sensitive information upon delivery to the recycler. This allows for destruction of sensitive information while maintaining custody of the material up to the moment of destruction. Again, the contractor must be in compliance with IRC 6103(n) requirements which provides for safeguards and periodic safeguard reviews. However, this method is not recommended because of the resources that would be required. 10.5.1.6.10 (09-24-2020) Global Positioning Systems (GPS) and Location Services Policy regarding personally owned GPS device usage and location services (geolocation) on devices balances the business needs of field employees voluntarily using these devices and the privacy and security concerns related to the SBU data that might be contained in the devices. The purpose of the following is to minimize the risk of exposing SBU data and to prevent unauthorized disclosures. [IRC 6103, Privacy Act] 10.5.1.6.10.1 (09-24-2020) Global Positioning Systems (GPS) This exception for the use of personally owned GPS devices is limited to GPS functions only. For example, this does not apply to the use of the non-GPS functions on personally owned mobile computing devices. Input only taxpayer address information into the GPS device, and delete this information from the device once it is no longer necessary. Never input individual or business taxpayer names into the device. Do not connect the GPS device to an IRS computer, as the device has the potential to introduce computer viruses and malware into the IRS network. If available, use a security personal identification number (PIN) code with the device to help protect the privacy of tax information in the event the device is lost or stolen. Take every precaution to prevent the GPS device from being left unattended or unsecured. Remove portable GPS devices from vehicle when not in use as circumstances permit. In those limited instances where a portable device is left in a locked vehicle, store it out of sight in the trunk or glove compartment. Never leave portable GPS devices in a vehicle overnight. Do not leave the portable GPS device and any mounts in an unattended vehicle in plain sight. After removing mount, clean the suction cup mount area because it can leave marks on the windshield/dashboard indicating that a GPS or other device may be present in the vehicle, increasing the risk of a break-in. Report the loss or theft of a GPS device with taxpayer addresses (whether a government-issued GPS or a personally-owned GPS), as a potential breach of PII: Immediately upon discovery of the loss or theft, the employee must report the potential breach to the employee’s manager and the appropriate organizations based on what was lost or disclosed. For more information about how to report an incident, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the IM site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.6.10.2 (09-24-2020) Location Services IRS personnel are strongly encouraged not to use their personal devices (phones, tablets, fitness watches, etc.) to identify taxpayer or work addresses with location services, geotagging, or GPS features or any social media accounts (FaceBook Check In, Find My Friends, etc.). Geotagging pinpoints location, which might inadvertently reveal a taxpayer’s home or business, or disclose activities and location at an IRS office. Personnel should use a IRS-furnished device (if issued) when locating and receiving directions to taxpayer addresses. When using services that need location, try to avoid using an exact taxpayer address if it might pinpoint the IRS has an interest in the taxpayer. 10.5.1.6.11 (09-24-2020) Telework Special privacy considerations arise in the telework environment. Like all personnel, teleworking personnel have a responsibility to safeguard SBU data (including PII and tax information). Unique potential risks, such as family members accidentally taking case files left out on a desk, or overhearing phone calls with tax information, create the need for additional guidelines. For more information on Telework requirements, refer to IRM 6.800.2, Employee Benefits, IRS Telework Program. Personnel should be aware of their environment as they conduct business at an approved telework location. When establishing a home office, personnel should evaluate the nature of their work and the level of sensitivity around the information they handle on a day-to-day basis, per the Equipment and Furniture section of IRM 6.800.2. No unsecured wireless access point (w-fi hotspot) can be used as a regular telework location. For more information about secured wireless access points (wi-fi hotspots), refer to the AC-18 Wireless Access section in IRM 10.8.1. Note: If you use a hotspot temporarily (not as a permanent Telework solution), it must be secured, so you must add security with a password. See How to use your iPhone as a Hotspot. Telework employees are to ensure that they only use secured Wi-Fi networks when working at their designated worksite (approved telework location or approved lodging) and must adhere to the following guidance for protecting taxpayer’s privacy and safeguarding confidential information. Teleworking personnel should adhere to the following guidelines. For bargaining unit employees, should any of the guidelines conflict with a provision of a negotiated agreement, the agreement will prevail. Individual office practices may supplement this information. Teleworking personnel should consider: If possible, set home office designated workspace apart from the rest of the house, ideally with a door that can be secured. Avoid frequent interruptions or working within listening distance of others, per the Relatives of IRS employees and Protecting Confidentiality section of IRM 11.3.1. Apply the Clean Desk requirements to data left out in work areas, credenzas, desktops, fax, copy machines, and in/out baskets. When away from the desk, secure SBU data in a locked room, locked file cabinet, or a locked desk, per the Clean Desk Policy section in IRM 10.5.1.5.1. Whenever possible, conduct phone conversations in private settings or in locations that minimize the potential for eavesdropping. Contain telephone calls that include audible SBU data within a closed office environment or out of the listening range of others, per the Use of Cell Phones and Cordless Devices section of IRM 11.3.2. To properly transmit SBU data, follow the Transmission section and subsections in IRM 10.5.1.6.7 for field and travel, mailing, shipping, electronic, faxing, printing, and phone. This includes securely transporting SBU data to the office for shredding. To properly dispose of SBU data, see the Disposition and Destruction section in IRM 10.5.1.6.9. Note: Bring all SBU data for destruction into the office for proper disposition, including that shredded with non-compliant equipment. Digital assistants, smart devices, Internet of Things (IoT), and other devices that can record or transmit sensitive audio or visual information must not be allowed to compromise privacy in the work or telework environment. These devices typically contain sensors, microphones, cameras, data storage components, speech recognition, GPS or location options, and other multimedia capabilities. These features could put the privacy of personnel and/or taxpayers at risk due to the personal information that might be unwittingly disclosed. When working on any form of SBU data (including PII and tax information), follow these rules: Treat the device as if it were another person in the room because many such devices and applications can record and/or transmit data when activated. To protect privacy, the personnel must mute or disable the listening/detecting features of the device so that SBU data is not sent to the device or anything to which it is connected. If the device or application can take photos or record video or sound, then the personnel must not do sensitive work within visual or audio range. These devices/applications include (but are not limited to the examples provided): Digital assistants (such as Dot or Echo hardware using Alexa software, HomePod using Siri, etc.). Voice-activated devices and smartphone applications (such as Siri, Google Now (“Okay Google”), or Alexa on phones, tablets, etc.). Non-IRS-approved video-chatting apps (FaceTime, SnapChat, etc.). Internet of Things (IoT) equipment (devices, systems, etc.). Internet-connected toys (Cloud Pet, Smart Toy, Hello Barbie, etc.) that might record and transmit. Security systems and webcams in the telework environment. Smart TVs or auxiliary equipment (if includes voice activation). Operating systems/applications (such as Windows 10, Cortana, etc.) that allow voice commands. Home surveillance, security, and video/audio: Webcams on personal devices in the home, security cameras/microphones. For more information about privacy risks of Internet-connected toys, refer to the FBI’s Public Service Announcement, “Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children:”https://www.ic3.gov/media/2017/170717.aspx 10.5.1.6.12 (09-24-2020) Bring Your Own Device (BYOD) Bring your own device (BYOD) is a concept that allows personnel to utilize their personally‐owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer‐provided services and/or data on their personal tablets/e-readers, smartphones, and other devices. To protect the privacy of the tax information, BYOD participants must: Use only IRS-approved applications. Refrain from using devices in public settings where conversations involving tax information might be overheard or where screens with tax information might be seen. Refer to the Use of Cell Phones and Cordless Devices section in IRM 11.3.2, Disclosure to Persons of Material Interest. Follow the terms in the Personally-Owned Mobile Device Acceptable Use Agreement, including, but not limited to: 1. Report lost or stolen devices timely and accurately. 2. Follow procedures for removal of the IRS-approved mobile device business software if changing which device will be used or leaving the program. 3. Adhere to all applicable laws, regulations, rules, policies, and procedures, including Federal Records Act, Office of Government Ethics Standards of Ethical Conduct, and the Department of the Treasury Employee Rules of Conduct. Note: This program protects the privacy of the taxpayer. All BYOD users must acknowledge having no expectation of privacy regarding any use of the IRS-approved mobile device business software on their mobile devices. For the privacy of the BYOD employee, the employee may block the outgoing phone number of the personal device per IT4U BYOD guidance on their site on IRS Source. Note: The Fair Debt Collection Practices Act (FDCPA) does not prohibit this practice by the IRS. The IRS is not a creditor or debt collector under the FDCPA. Section 803 (6) of the FDCPA defines the term "debt collector," and specifically excludes in (C) "any officer or employee of the United States or any State to the extent that collecting or attempting to collect any debt is in the performance of his official duties." Refer to IRM 10.8.26, Government Furnished and Personally Owned Mobile Computing Device Security Policy, and IRM 10.8.27, IRS Policy on Limited Personal Use of Government IT Resources. For more information about BYOD, see also the IT4U BYOD site on IRS Source. 10.5.1.6.13 (09-24-2020) Civil Liberties Privacy and civil liberties often overlap. Civil liberties are the rights of people to do or say things that are not illegal without being stopped or interrupted by the government (due process). For example, the U.S. Constitution’s Bill of Rights guarantees civil liberties:https://www.archives.gov/founding-docs/bill-of-rights The Privacy Act provides for privacy and civil liberties protections, outlined in the First Amendment section in IRM 10.5.1.6.13.1 and detailed in the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act. Through the Taxpayer Bill of Rights, codified in IRC 7803(a)(3), the IRS makes taxpayer privacy (with due process) and confidentiality essential rights that help protect their civil liberties:https://www.irs.gov/taxpayer-bill-of-rights The Privacy Act also allows for due process rights, as it forms the basis for the IRS Privacy Principles. Many existing privacy policy and compliance requirements, including the IRS Privacy Principles, also protect civil liberties. For example, the principle of Data Quality ensures fair treatment [PVR-07]. The principle of Access, Correction, and Redress ensures due process [PVR-09], as do the principles of Openness and Consent [PVR-04], and Verification and Notification [PVR-08]. The IRS further addresses civil liberties protections through the PCLIA. The PCLIA reinforces Privacy Act requirements regarding the collection of First Amendment activities information and monitoring of individuals (see the Monitoring Individuals section in IRM 10.5.1.6.13.3 ). Refer to IRM 10.5.2 for more information on the PCLIA process. For more information, refer to the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act. For more information, refer to Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance. 10.5.1.6.13.1 (09-24-2020) First Amendment The Privacy Act prohibits federal agencies from maintaining records on how any individual exercises their First Amendment rights unless certain exceptions apply. These First Amendment rights include religious and political beliefs, freedom of speech and of the press, and freedom of assembly and petition. Congress intended agencies to apply the broadest reasonable interpretation when determining whether a particular activity is a right guaranteed by the First Amendment. IRS personnel must not keep files of persons who are merely exercising their constitutional rights. IRS personnel involved in the design, development, operation, or maintenance of any system of records subject to the Privacy Act must be aware of the prohibitions against maintaining records on the exercise of First Amendment rights and alert to any potential violation of that prohibition. Taxpayers must report income and provide information necessary to verify deductions on their tax returns. The IRS may collect such information although, in some instances, this data may reveal how individuals exercise their First Amendment rights, such as religious affiliation, group membership, or political preference. The IRS may collect this information because statutory exceptions apply. [Privacy Act; PVR-02] For more information, refer to the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act. 10.5.1.6.13.2 (09-24-2020) Recordings in the Workplace Widely available electronic recording and monitoring equipment (such as digital cameras and smartphones) raise privacy and security concerns. IRS personnel must not make recordings or conduct monitoring of any type (including, but not limited to, audio, video, photographic, or infrared) in IRS facilities without a business need and prior FMSS approval (except audio recordings, which require direct supervisor approval) or at alternative duty stations duties remote to the conventional office site (e.g., satellite locations, employee’s residence). Refer to the Photography Prohibited and the Alternative Duty Stations - Telework sections of IRM 10.2.11, Physical Security Program, Basic Security Concepts. Privacy concerns for recording in the workplace center around individual employee privacy and the potential disclosure of SBU data (including PII and tax information). The law for recording others in the workplace varies by state, but many states require consent of both the recording individual and the recorded individual. To protect individual employee privacy, IRS policy prohibits most recordings because of such variations. IRS personnel may use their smartphones (or other devices with recording capabilities) in the workplace. However, they must take reasonable precautions that no unauthorized recordings or disclosures occur. When working on any form of SBU data (including PII and tax information), such precautions include muting or disabling voice-activated devices and smartphone applications (such as FaceTime, Siri or Google Now (“Okay Google”) on phones, tablets, etc.). For more information about precautions, see the Telework section in IRM 10.5.1.6.11 about digital assistants, smart devices, IoT, and other devices that can record or transmit sensitive audio or visual information. Certain circumstances allow for limited recording in the IRS workplace. They include: Approval and Consent: When approval authority approves the business need, and all participants consent to the recording beforehand, an employee may make a recording in the IRS workplace. Service Quality Control: Employees may make recordings when performed to determine the quality of service delivery, such as with Contact Recording. Taxpayer Interviews: Taxpayers may request to audio record in-person interviews, with prior notice to the IRS, and the IRS may record those interviews, under IRC 7521(a) Refer to IRM 4.10.3, Examination of Returns, Examination Techniques; IRM 5.1.12, Field Collecting Procedures, Cases Requiring Special Handling, and IRM 25.5.5, Summons, Summons for Taxpayer Records and Testimony. Investigation: This policy does not apply to criminal investigations or official investigations relating to the integrity of any officer or employee of the IRS. See IRC 7521(d) Employee Education: When used for employee education, employees may make recordings using IRS-issued software applications or platforms, such as Adobe Articulate, Skype, or Saba Centra. Reasonable Accommodation: When performed by an individual with a disability as part of an approved reasonable accommodation, certain recordings may be allowed. Refer to IRM 1.20.2, Equal Employment Opportunity and Diversity, Providing Reasonable Accommodation for Individuals with Disabilities. Labor Relations: The policy is not intended to and should not be interpreted to interfere with employee rights to engage in concerted activity under the National Labor Relations Act. For more information, refer to IRM 6.432, Performance Base Reduction in Grade and Removal Actions; IRM 6.711, Labor-Management Relations; IRM 6.751, Discipline and Disciplinary Actions; IRM 6.752, Disciplinary Suspensions and Adverse Actions; and IRM 6.771, Agency Grievance System. If any personnel receives proper approval and consent to make a recording or take a photograph, that person must not record or photograph SBU data (including PII and tax information), ensuring those items are not in view or earshot of the device. If SBU data (including PII and tax information) appears in an electronic recording nonetheless, an employee must protect the recording as SBU data and must not disclose the information unless a statutory exemption applies under IRC 6103 or the Privacy Act (depending on the nature of the data). For more information, refer to IRM 10.8.26 ; IRM 11.3.1, Introduction to Disclosure; and IRM 10.5.6, Privacy Act. 10.5.1.6.13.3 (09-24-2020) Monitoring Individuals The IRS needs to conduct some monitoring of individuals to protect federal systems, information, and personnel. Examples of such monitoring include access logs to IRS facilities and audit trails that monitor IT usage. [Privacy Act] However, limitations still exist on use of any PII collected, with sharing on a need-to-know basis for its intended use only. [Privacy Act] Monitoring of the public outside IRS facilities must not occur without first consulting Privacy Policy [Treasury’s Privacy and Civil Liberties Impact Assessment Template and Guidance]. For assistance, email **Privacy. Note: This policy does not apply to criminal investigation activities. Refer to IRM 9.4.6, Surveillance and Non-Consensual Monitoring. For more information about the limitation of monitoring individuals, refer to the Privacy Act Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act. The IRS PCLIA addresses these limitations. For more information about PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program. 10.5.1.6.14 (09-24-2020) Contractors The IRS has privacy obligations for contractors with access to SBU data (including PII and tax information). As outlined in the IRS Privacy Principle of Accountability and NIST Privacy Control AR-3, Privacy Requirements for Contractors and Service Providers, the IRS must: Establish privacy roles, responsibilities, oversight, and access requirements for contractors and service providers throughout the privacy lifecycle. [OMB A-130] Include privacy requirements for all relevant stages of the privacy lifecycle in contracts and other acquisition-related documents. Follow Privacy Act requirements regarding contractors, outlined in the Publication and Reporting section of IRM 10.5.6, Privacy Act. Employees responsible for procurement activities on contracts that involve SBU data (including PII and tax information) must therefore: Ensure all tax, privacy, and security clauses are included in contracts as required in IRM 11.3.24, Disclosures to Contractors. Ensure necessary clauses are included in all contracts and the appropriate safeguards are in place before disclosing any necessary SBU data (including PII and tax information) and/or Privacy Act information to a contractor. Ensure contractors (including non-IRS procured contractors) take required privacy, security, disclosure, and UNAX training and complete Non-Disclosure Agreements (NDAs) within the required time frames per CSM instructions. [OMB A-130] Ensure the contractor receives a copy of the approved PCLIA, if one is required. For more information on the PCLIA process, refer to IRM 10.5.2. Ensure each contractor employee receives a background investigation appropriate for the risk level designation associated with the contracted work (often Moderate for access to SBU data). Note: Any staff-like access (facilities, systems, or SBU data) requires completion of a favorable suitability/fitness determination (background investigation) conducted by IRS Personnel Security. Ensure contractors with access to SBU data comply with IRM 10.8.1, as well as the relevant 10.8 series IRMs or Pub 4812, Contractor Security Controls, which requires: 1. All contracting actions with SBU data (including PII and tax information), with some exceptions, carry a Moderate impact security level. 2. Contracts with staff-like access to FISMA systems carry a High impact security level. Note: These are security impact levels, not background investigation levels. [PVR-01; AR-3] Refer to IRM 10.23.2, Contractor Investigations, or the Procurement site on IRS Source. 10.5.1.6.15 (09-24-2020) Online Data Do not post SBU data (including PII and tax information) online, including IRS official internal or external websites or cloud-based systems or services, unless secured with IT-approved access controls by the IRS (or by an IRS vendor bound by contract to protect the information). [NIST SP 800-122, TD P 85-01] Note: However, this policy does not apply to SBU data the IRS proactively makes available to all IRS personnel on internal resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), intranet, and SharePoint site collections), such as names, SEID, and business contact information. Persistent cookies or other tracking devices to monitor the public's visits may not be used on an IRS Internet site except as authorized by OMB regulations. Online data may require several types of notices: An IRS-approved IT system use notification message (see the AC-8 System-Use Notifications section of IRM 10.8.1). Link to IRS.gov Privacy Policy (see the IRS.gov Privacy Policy Notice section in IRM 10.5.1.6.15.1). A website or application Privacy Policy notice (see the Website or Application Privacy Policy Notice section in IRM 10.5.1.6.15.2). Privacy Policy Departure Notice (see Privacy Policy Departure Notice section in IRM 10.5.1.6.15.3). Privacy Act Notice (if collecting data on a form). Note: Online privacy policy statements differ from Privacy Act notices required by the Privacy Act on forms that ask individuals to supply Privacy Act-protected information. For more information on the Privacy Act notification programs, see IRM 10.5.6, Privacy Act. For any Privacy Policy notice approval, email *Privacy. For policy on authentication of individuals in online transactions, see the Electronic Authentication section in IRM 10.5.1.7.10. 10.5.1.6.15.1 (09-25-2019) IRS.gov Privacy Policy Notice The IRS Internet privacy policy notices on IRS.gov inform the public of the information collection procedures and the privacy measures in place for a particular Internet website or activity. [E-Government Act, OMB A-130, OMB-03-22] The IRS privacy policy notices must be posted at every major entry point to an IRS Internet website or application, as well as on any page collecting substantial personal information from the public. The requirement includes, at a minimum, a link to the IRS.gov privacy policy. It also may include a unique privacy policy for that website. The IRS privacy policy notice is: An overview of IRS privacy practices. A description of any information collected and stored automatically by the system and how this information will be used. An explanation of how IRS will use any PII submitted by the Internet visitor. A notice that security and intrusion protection measures are in place. See the overarching IRS.gov Internet Privacy Policy notice:https://www.irs.gov/privacy-disclosure/irs-privacy-policy 10.5.1.6.15.2 (09-24-2020) Website or Application Privacy Policy Notice A unique privacy policy for a website or application can detail the differences from the IRS.gov privacy policy. This policy applies to any website or application hosted by or on behalf of the IRS. [E-Government Act, OMB A-130, OMB-03-22] Note: If the website or application is asking for SBU data (including PII or tax information), then the website or application needs to explain its use of the data. The website or application privacy policy must still link to the IRS.gov Privacy Policy. A simple example, with blanks to fill in the details pertinent to the website or application, is: _____ Privacy Policy This privacy policy describes the use of your personal information including _____. To prevent fraud and identity theft, the IRS does not send unsolicited emails or text messages to taxpayers or businesses containing any IRS related information or requesting your personal information such as name, address, social security number (SSN), taxpayer identification number (TIN), Employer Identification Number (EIN) and tax history. To participate in _____, you will be required to provide _____ in order for the IRS to _____. By agreeing to use the IRS _____, you give the IRS permission to _____. You will have the ability to opt-out of this at any time by_____. More complicated policy notices might be needed if the website or application is more complex. 10.5.1.6.15.3 (09-24-2020) Privacy Policy Departure Notice Any IRS Internet website (or link to a third-party site on behalf of IRS) that links to external sites must post a departure notice. This notice alerts Internet visitors that they are about to leave the IRS website and its privacy practices. It advises them to review the website privacy practices for the website they are about to enter. Refer to the IRS Internet Departure Notice page on the IRS Source. 10.5.1.6.15.4 (09-24-2020) Intranet Privacy Policy IRS Intranet (for example, IRS Source) privacy policy notices inform personnel of the information collection procedures and the privacy measures in place at a particular intranet site or activity. The IRS privacy policy notice must be posted at every major entry point to an intranet site, as well as on any page collecting personal information from an individual. The IRS intranet privacy policy notice is: An overview of IRS privacy practices. A description of any information collected and stored automatically by the system and how this information will be used. An explanation of how the IRS will use any PII submitted by the individual. A notice that security and intrusion protection measures are in place. The notice is available on the IRS intranet. Any IRS intranet site or page that links to external sites must post a departure notice. This notice alerts IRS personnel that they are about to leave the IRS website and its privacy practices. It advises them to review the privacy practices on the website that they are about to enter. Refer to the IRS Intranet departure notice on IRS Source. Persistent cookies or other tracking devices to monitor an individual's visit to IRS intranet sites may not be used except as authorized by OMB regulations. 10.5.1.6.16 (09-24-2020) Social Media The IRS uses social media to share the latest information on tax changes, initiatives, products, and services. To expand reach to taxpayers and stakeholders, the IRS shares information on several social media platforms, including Twitter, Facebook, and LinkedIn. Because the use of social media allows potential direct interaction with the public, the IRS implemented specific rules to ensure only authorized employees speak in an official capacity. With the exception of approved IRS communicators handling official IRS media initiatives, IRS employees are not authorized to use social media in an official capacity. Refer to the Social Media Guidelines for IRS Employees site on IRS Source. For more information about Internet research guidelines, refer to the Use of Social Networking and Other Internet Sites by IRS Employees for Compliance Research or for Other Purposes section in IRM 11.3.21, Investigative Disclosure Personal, non-work usage of these social media tools on personal devices must not compromise the confidentiality of SBU data (including PII or tax information) or the integrity of the IRS. With the exception of approved IRS communicators handling official IRS media initiatives, IRS personnel are not authorized to use social media in an official capacity and should adhere to the Communications and Liaison guidelines. Refer to the Social Media site on IRS Source. To use any existing IRS social media tools in communications plans or outreach initiatives, business units must use the appropriate social media authorization form or contact the appropriate social media platform owner. If an IRS organization would like to consider use of a new social media platform, they must submit a New Media Use Authorization Form for approval by the IRS Social Media Governance Council, along with a Social Media PCLIA. For more information on Social Media PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, or the Social Media site on IRS Source. 10.5.1.6.17 (09-25-2019) Data on Collaborative Technology and Systems This policy does not apply to PII the IRS proactively makes available to all personnel on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), intranet, and SharePoint site collections), such as names and business contact information. Some of the privacy risks associated with collaborative data sites include: Breaches and inadvertent disclosures. Unauthorized access of data without a need to know. Sharing data without proper permissions or authorizations. The data residing on collaborative data sites require privacy protections. These protections must include: Controlling access to the sites (both as a user and as an administrator). Controlling what data is shared on the sites. Ensuring privacy and security controls are in place. Refer to the SC-15 Collaborative Computing Devices section in IRM 10.8.1 for additional information. 10.5.1.6.17.1 (09-24-2020) Outlook Calendar IRS personnel may place information that is not SBU data (including PII and tax information) on all calendars without restriction. Personnel must not post SBU data (including PII and tax information) on public calendars with uncontrolled access. The following applies any time a business need requires some form of SBU data (including PII and tax information) on the Microsoft Outlook calendar: Personnel must assign permissions on the calendar to limit access to only those people with a need to know the information. Personnel must encrypt any attachments to the calendar that contain SBU data (including PII and tax information) other than noted in the following sections. Note: This encryption policy does not apply to SBU data (including PII and tax information) the IRS proactively makes available to all personnel on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), Intranet, and SharePoint site collections), such as names and business contact information. For Business Unit Calendar Meetings/Appointments Regarding Taxpayers: Personnel may place on the calendar only a portion of the taxpayer's name, the last two digits of the tax year, and any business unit-specific codes that are not sensitive PII (such as a case control number that is not an SSN and not easily linked to a taxpayer by an outside party). The abbreviated name should consist of the first four significant characters of the taxpayer entity's name (the name control): i. For individual taxpayers, these significant characters could include the first four letters of the individual taxpayer's last name (for example, John Smith would be "SMIT" , or the IDRS name control could be used). If the taxpayer's name consists of only four characters or fewer, it is appropriate to use the entire name. ii. For corporations, partnerships, trusts or other such entities, the first four letters of the entity's name, excluding articles, could be the first four significant letters used (for example, "The Corporation Company" would be "CORP" , or "Taxpayer Foundation" would be "TAXP" ). For Calendars for Offices with Regulatory, Investigative, and/or Advocacy Responsibilities (docketed case meetings): These requirements apply to calendars for Appeals, Chief Counsel (Counsel), Criminal Investigation (CI), Taxpayer Advocate Service (TAS), and other functions with regulatory, investigative, and/or advocacy responsibilities. When the subject matter of the meeting is a case docketed in the United States Tax Court or other judicial forum, calendar the meeting as the case name (for example, the name of the taxpayer with case number). Note: This does not violate privacy principles, as the name of the case is public record information. It falls under the judicially created public records exception. (For more information, refer to the Information Which Has Become Public Record section in IRM 11.3.11.) This practice also applies for unsealed CI matters (such as an indictment, where testimony occurred in an open proceeding, or if an official press release is issued). It would not apply for sealed federal court matters. For Calendars for Offices with Regulatory, Investigative, and/or Advocacy Responsibilities (particular taxpayer meetings): Counsel's calendar entry may use a succinct description of the subject matter and include the case control number assigned to the matter in Counsel's management information system (CASE-MIS). For example, an Outlook entry for a meeting to discuss whether to pursue enforcement of a summons in the examination of taxpayer A would appear as "Summons enforcement/POSTF-123456-08." Except for assignments of cases docketed in the U.S. Tax Court (see previous section), this case control number is public record and not PII that must be protected. An invitee could then access CASE-MIS to ascertain the identity of the taxpayer with respect to whom the summons enforcement matter is to be discussed. CI may use the Criminal Investigation Management Information System (CIMIS) investigation number. TAS, as well as Counsel to the National Taxpayer Advocate, may use the Taxpayer Advocate Management Information System number plus the first four (4) significant letters of the taxpayer entity's name. For Non-Taxpayer-Related Meetings/Appointments: An entry on the calendar for meetings with external parties doing business with the IRS (Enrolled Agents, for example) that does not concern specific taxpayers, would consist of the name of the external representative, the name of the organization (where appropriate), and/or the subject matter of the meeting. Personnel may send any meeting-related non-taxpayer-related PII or SBU data in a separate email (with encrypted, password-protected attachments using IT-approved encryption methods) with directions in the calendar invite to look for the separate email. Examples of situations where this practice would be used include, but are not limited to: i. Where Counsel hosts informational meetings with external parties, such as trade groups or other professional organizations, in conjunction with its published guidance program. ii. Where IRS organizations meet with external parties for the purposes of planning or delivering presentations or for procurement matters. iii. Examples of emails requiring encrypted PII or SBU data attachments in these scenarios include details on speakers (such as resumes) or procurement issues (such as contract information). Personnel may voluntarily include their personal appointments on the calendar to ensure business appointments do not conflict. Supervisors may note absences of direct reports on the calendar so that the supervisor may schedule meetings, assign work, and manage his/her work unit more efficiently. The supervisor may not include additional information such as the whereabouts of those direct reports. However, official travel status and telework notations (without addresses) are acceptable supervisor calendar entries. Leave and other personal information on shared group calendars may be included only with the permission of the affected personnel. 10.5.1.6.17.2 (09-25-2019) Online Meeting Tools Online meeting tools include Skype for Business, Saba Centra, Webex, etc. Use only Enterprise Architecture-approved tools. Skype for Business is an encrypted method of communicating within the IRS network. For Saba Centra, Webex, and other approved virtual meeting tools with encrypted communication capability: Ensure that the audience/recipients are authorized to view the material. Share SBU data (including PII and tax information) on a need-to-know basis. Online meeting tools may convey SBU data; however, do not use instant messaging (such as Skype) to conduct official business without saving an official record. Refer to the Use of Agency-approved Electronic Messaging Systems section in IRM 1.15.6 10.5.1.6.17.3 (09-24-2020) Shared Drives The IRS shared network drives (such as I drive, S drive, home directories or other shared resource) are governed in part by the section SC-28 Protection of Information at Rest in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance. This policy makes it clear that only those with a need to know may have access to SBU data (including PII and tax information) on shared drives, with tight access and controls in place. Because of these controls, encryption is not required. To protect the privacy of employee and tax information, the law and IRS policy require a PIA when the IRS uses PII in Information Technology to ensure examination and mitigation of privacy risks, with few exceptions. When a shared drive contains SBU data (such as PII, tax, or employee information), site owners must submit a SharePoint PIA through the Privacy Impact Assessment Management System (PIAMS) available through the IRS intranet. Use the PIAMS SharePoint PIA questionnaire because of the similar collaborative data use. Prepare the SharePoint PIA at the highest shared drive level (such as \\<server>\<share>\<department>), not the individual file or folder level. Indicate whether the SBU data is housed on a shared drive or SharePoint site and also note whether database(s) are included and what type. Correctly align personnel access to the shared drives and create a process for documenting access approvals. Meet requirements outlined in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Access to Sensitive Information section. When automated checks can’t be performed, business units are expected to perform due diligence and develop the appropriate awareness training, operational instructions, and job aids (e.g., banners, standard operating procedures, or handouts) to aid personnel in self-reporting. For more information on PIAs and PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance. 10.5.1.6.17.4 (09-24-2020) SharePoint Sharing data in collaborative data environments, such as SharePoint, might offer valuable benefits while having inherent privacy risks. Understanding the risks involved with sharing data on these sites allows for risk management. SharePoint access controls shall limit access using site, folder, and file permissions as appropriate. Site collection owners also must ensure SharePoint users follow rules and protect privacy. A SharePoint PIA is required any time a SharePoint site collection contains SBU data (including PII and tax information). The IRS reviews these privacy protections through the SharePoint PIA process. For more information on SharePoint PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program. For more information on Collaborative Environments, refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance. 10.5.1.6.17.5 (09-24-2020) Cloud Computing Before contracting for cloud services, address the necessary privacy and security policies. All procurements of cloud computing services that include SBU data (including PII and tax information) must be approved by PGLD via the Privacy and Civil Liberties Impact Assessment (PCLIA) process (required by the ELC). The IRS PCLIA process addresses privacy concerns for IRS systems with SBU data (including PII and tax information) using cloud computing. These issues include, but are not limited to: Who is the Cloud Service Provider (CSP)? Who has access to the information at the Cloud Service Provider? Do other CSPs service this CSP (subcontract with), such as performing updates, maintenance, or other services? What is the Cloud Service Provider’s Federal Risk and Authorization Management Program (FedRAMP) compliance status? What deployment model (private, hybrid, etc.)? Where does the information go? Where is it stored, transmitted? How is it secured? What security categorization (Low, Moderate, High)? How reliable and secure is the audit trail? How will monitoring be done and how often? Does the CSP contract include all required privacy and security contract clauses, including those for protecting SBU data (including PII and tax information)? Except for systems principally supporting overseas Federal/Treasury personnel and/or activities, Treasury systems shall be located and operated within the U.S. [TD P 85-01, control SA-4_T.193] Note: This includes Treasury contractor systems. PGLD and COR must provide written notification to the contractor when the contractor is permitted to maintain Government data at a location outside the U.S. Failure to comply with privacy and security policies and processes might necessitate contract modifications. For more information on cloud computing issues and cloud deployment models, refer to IRM 10.8.24. Information Technology (IT) Security, Cloud Computing Security Policy, and IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance. 10.5.1.6.18 (09-24-2020) Training Although IRC 6103(h) (1) permits the disclosure of tax information to IRS personnel for the purposes of tax administration to the extent the individual obtaining that access has a "need to know," IRS employees must avoid the use of tax information in training. Using tax information increases the risks of unauthorized disclosure and might subject the IRS to civil unauthorized disclosure actions which might then result in disciplinary actions against the offending employee(s). Use of tax information also raises issues about compliance with the IRS Taxpayer Bill of Rights, codified in IRC 7803(a)(3), which requires the IRS to protect taxpayer rights to privacy and confidentiality.. While 6103(h) authorizes disclosure when information is helpful in performing tax administration duties, returns and return information should not be used for training purposes when hypothetical or fictional cases will serve the training requirements. Note: Avoiding extra effort is not justification for increasing risk. Employee publications, training and presentation materials are publicly available under the Freedom of Information Act and in the FOIA Library on IRS.gov. That makes it critical that all IRS employees follow published guidelines to prevent the unauthorized disclosure of tax information. For more information about fictionalizing data, see the PGLD Fictitious Identifying Information Examples page and the Disclosure Requirements section of IRM 6.410.1, Learning and Education, Learning and Education Policy. For more information about training material and official use only requirements, refer to IRM 11.3.12, Designation of Documents, and IRM 1.11.2, Internal Management Documents System, Internal Revenue Manual (IRM) Process. 10.5.1.7 (09-24-2020) Privacy-Related Programs The IRS promotes a robust privacy program leveraging the use of technology and privacy processes. The IRS privacy program improves taxpayer service by protecting the privacy of taxpayers’ and employees’ data and enhancing their trust. Designing privacy into the IRS modernization initiative (people, systems, processes, and technology) further improves the protection of SBU data (including PII and tax information) throughout the IRS. Privacy issues are integral to IRS business. Because of the complexity, scope, and importance of privacy to the IRS mission, PGLD is not the single point of contact for all privacy-related programs. This IRM and IRM 10.5.2, Privacy Compliance Assurance (PCA) Program, provide links and references to other IRMs and programs that work closely with PPC or contain elements of privacy within those programs. IRS personnel must familiarize themselves with and utilize all links/reference IRMs, as appropriate. This includes, but is not limited to, the following privacy-related programs, not all of which PGLD manages. For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.7.1 (09-24-2020) IRS Privacy Council Privacy Policy and Knowledge Management (PPKM), within PGLD’s PPC, oversees and coordinates the IRS Privacy Council. [AR-1] The purpose of the IRS Privacy Council is to: Develop a cohesive privacy vision to implement and oversee IRS-wide privacy and disclosure policies. Serve as a high-level strategy and policy development group charged with identifying and effectively addressing significant current and emerging information privacy, disclosure, and related policy issues. Centralize the Chief Privacy Officer’s (CPO) policy-making role in the development and evaluation of legislative, regulatory, and other policy proposals, which implicate information privacy issues. In so doing, the Council takes a central role in ensuring the IRS is fully compliant with federal laws, regulations, and policies relating to information privacy while enabling continued progress and innovation. To accomplish these objectives, the IRS Privacy Council members will: Engage the Business Units and Operating Divisions for purposes of multi-level identification of issues appropriate for Council action. Partner with cross-functional working groups to identify and work issues appropriate for Council action. Generate policy guidance to be issued from the CPO. Establish communications and web strategies to ensure successful dissemination of guidance and additional tools for ongoing IRS-wide education and assistance. Conduct periodic reviews of established policy guidance to ensure sufficiency and consistency. Partner with Office of Chief Counsel for consultative purposes, and to identify and develop needed legislative and regulatory proposals. Review and comment on circulated draft legislation, Executive Orders, Office of Management and Budget memoranda, executive agency white papers, and other inter-governmental documents. Provide subject matter expertise on broad-scope IRS-wide initiatives. Partner with program offices to ensure information privacy and disclosure policies are appropriately included in training modules. [PVR-01; AR-1] The IRS privacy community participates in the Federal Privacy Council (FPC) to identify federal agency best practices, build and strengthen collaboration with other agencies, and conduct outreach as appropriate. See the References section in Exhibit 10.5.1-2 for the link to the FPC website and resources. For more information, email *Privacy or refer to the IRS Privacy Council site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.7.2 (09-24-2020) Privacy and Civil Liberties Impact Assessment (PCLIA) Privacy Compliance and Assurance (PCA), within PGLD’s PPC, supports the IRS in recognizing the importance of protecting the privacy of taxpayers and employees, balancing the need for information collection with the privacy risks. The vehicle for addressing privacy issues in a system is the PCLIA. [OMB A-130] If the IRS procures, uses, or develops IT to process (collect, maintain, or disseminate) PII, the IRS must consider the privacy protections with a PCLIA. [E-Government Act] For more information about the PCLIA process, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, or the PCLIA site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.7.3 (09-24-2020) Business PII Risk Assessment (BPRA) Privacy Compliance and Assurance (PCA), within PGLD’s PPC, uses the Business PII Risk Assessment (BPRA) program to assess privacy risks in IRS processes. The BPRA addresses the impact of privacy risks in the same way an IT security risk assessment addresses the impact of security risks to the IRS. [OMB A-130] For more information about the BPRA program, email *Privacy or see the BPRA page on the PCA site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.7.4 (09-24-2020) Treasury PII Holdings Report Treasury is mandated by Congress to maintain a listing of all systems that contain PII. The database is designed to assist the Treasury in maintaining a detailed inventory of its PII holdings. [SE-1, OMB A-130] For more information about the Treasury PII Holdings Report, email *Privacy. 10.5.1.7.5 (09-24-2020) Unauthorized Access (UNAX) Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), administers the Unauthorized Access to Taxpayer Accounts (UNAX) program. The term UNAX is used to define the act of committing an unauthorized access, attempted access or inspection (commonly referred to as UNAX) of any tax information contained on paper or within any electronic format without a management-assigned IRS business need. For more information, refer to IRM 10.5.5, IRS Unauthorized Access, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements. Refer to the UNAX site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.7.6 (09-24-2020) Mandatory Briefings Mandatory briefings deliver required IRS-wide training – including the Privacy Information Protection and Disclosure and UNAX briefings managed by the PGLD offices of PPKM and IPP, respectively. For more information about mandatory briefings, refer to the Mandatory Briefings page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.7.7 (09-24-2020) Records and Information Management (RIM) Records and Information Management (RIM) Office within IRP supports the IRS mission and programs by promoting current information, guidance, and awareness of the importance of managing records throughout the IRS. The RIM program addresses the requirements for recordkeeping, protection, review, storage, and disposal. The public expects that IRS records are available where and when they are needed, to whom they are needed, for only as long as they are needed, in order to conduct business, adequately document IRS activities, and protect the interests of the federal government and American taxpayer. All IRS records are required under the Federal Records Act to be efficiently managed until final disposition. Refer to IRM 1.15.7, Records and Information Management, Files Management, for additional information. 10.5.1.7.8 (09-24-2020) Disclosure Disclosure, within PGLD’s Governmental Liaison, Disclosure and Safeguards (GLDS), supports the Disclosure program. Disclosure safeguards confidential records, from the mailroom to the Commissioner’s office. The word "sensitive" encompasses every type of SBU data from tax records to personal employee data. Tax returns and return information are to be considered SBU data. 26 USC 6103 provides the general rule that tax returns and return information are confidential and can not be disclosed except as provided by Title 26. Note: IRC 7213 and IRC 7431 include civil and criminal penalties for willful or negligent disclosure of returns or return information. IRM 11.3 series, Disclosure of Official Information, contains guidelines governing whether tax returns and other information contained in IRS files may be disclosed. Disclosure may not be made unless IRC 6103 authorizes disclosure and not before requirements in IRC 6103 and IRM 11.3 series are met. The Office of Government, Liaison and Disclosure must approve proposed disclosures and ensure they meet the requirements of an exception in Title 26 before disclosure. Before disclosing IRS information (tax information, proprietary information, processes, system information, etc.), contact Disclosure to ensure that the information may be disclosed or what can/should be redacted. See the Disclosure site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. See also the external site for submitting a FOIA Request:https://www.irs.gov/privacy-disclosure/irs-freedom-of-information 10.5.1.7.9 (09-24-2020) Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)] Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA]) is a joint effort between IT Cybersecurity and Online Services to establish a framework for establishing authentication risk consistently across online web-based electronic transactions. To ensure privacy and security, agencies must authenticate users of their web-based or online transactions before permitting access to information entrusted to them. The DIRA process evaluates the risk of a transaction to determine the applicable assurance level on three component parts, referred to as Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). Note: The DIRA process applies to online web-based transactions. For information about risk assessments of online services, contact *IT Cyber CPO DIRA. 10.5.1.7.10 (09-24-2020) Electronic Authentication (e-Authentication) To ensure privacy and security, agencies must authenticate web-based or online transaction users before permitting access to information. In the Identity and Access Management domain, the e-Authentication (eAuth) framework uses this process to guide business units with the implementation of online applications/transactions. For more information, see the DIRA section in IRM 10.5.1.7.9. Refer to the Secure Access e-Authentication section in IRM 21.2.1, Systems and Research Programs, Systems. Refer to the e-Authentication site on IRS Source. 10.5.1.7.11 (09-24-2020) Enterprise Life Cycle (ELC) The IT Enterprise Life Cycle (ELC) office manages the ELC program. The IRS ELC is the methodology by which the IRS manages project activities through established standard processes. The Enterprise Architecture (EA) is an integral component of ELC compliance process particularly from Milestone 1 through Milestone 4a. The ELC provides the direction, processes, tools, and assets necessary to accomplish business change in a consistent and repeatable manner as they implement the EA. For more information about the ELC, refer to IRM 2.16.1, Enterprise Life Cycle (ELC), ELC Guidance, or the ELC site on IRS Source. 10.5.1.7.12 (09-24-2020) Governmental Liaison (GL) Governmental Liaison (GL) facilitates, develops, and maintains relationships with federal, state, and local governmental agencies and IRS operating and functional divisions on strategic IRS programs. All IRS personnel should contact GL prior to contacting any governmental agency regarding initiatives or data exchanges. GL maintains the IRS Agreement Database (IAD), which includes: Formal agreements that GL established with U.S. federal, state and local governmental agencies and IRS business units to exchange data, and tax and non-tax information that require PGLD oversight for privacy, disclosure, and safeguarding. (Internet service agreements, LBI treaty and Foreign Account Tax Compliance Act agreements, Agreements with 6103(k)(6) disclosures and IRC 6103(c) consent-based disclosures with non-government agencies are excluded.) For more information about GL, see IRM 11.4.1, Communications and Liaison, Office of Governmental Liaison, Governmental Liaison Operations. For more information about GL’s programs, see their page on IRS Source: 10.5.1.7.13 (09-24-2020) Identity Assurance (IA) Identity Assurance (IA) provides oversight and strategic direction for authentication, authorization, and access processes of taxpayer information. IA also delivers externally facing IRS services across all channels while protecting taxpayer data from fraudsters and identity thieves. For more information about IA, see the IA site on IRS Source. 10.5.1.7.13.1 (09-24-2020) Electronic Signature (e-Signature) Program The IRS e-signature principles and federally mandated authentication controls describe how the IRS protects an individual’s identity and assures that only authorized signers are completing the transaction. For detailed information on the e-signature program, see IRM 10.10.1, Identity Assurance, IRS Electronic Signature (e-Signature) Program. 10.5.1.7.13.2 (09-24-2020) Risk Management for Authentication in Non-Electronic Channels (Omni Channel Risk Assessment) Interim Guidance Memo PGLD-10-0220-0001 details the Risk Management for Authentication in Non-Electronic Channels policy, owned by PGLD’s IA as part of their Omni Channel approach to authentication and authorization for all interactions. For electronic interactions, this policy defers to the DIRA process (see IRM 10.5.1.7.9) for electronic interactions. For all other interactions, this policy applies to assessing the risk in the authentication process of telephone, in-person, and correspondence exchanges of sensitive information with individuals in authenticated customer contact channels. Identity Assurance created a SharePoint site to provide guidance and house business unit risk assessments. For more information, email *OS P GLD IA Risk Assessments. 10.5.1.7.14 (09-24-2020) IT Security Architecture and Implementation under Cybersecurity supports IT security policy and implementation. IT security and privacy issues go hand-in-hand. Information Technology security policy describes how to protect IT environments, while privacy policy describes how to protect individuals’ information in those IT environments. Information Technology focuses on protecting the systems, the network, and the applications that house the data. Privacy focuses on protecting the individual represented by the data. For more information about IT security policy and references, see IRM 10.8.1 and the rest of the IRM 10.8 family. For more information about the Cybersecurity program, see the Cybersecurity site on IRS Source. 10.5.1.7.15 (09-24-2020) Incident Management (IM) Incident Management (IM), within PGLD’s PPC, is dedicated to assisting taxpayers and personnel potentially impacted by IRS breaches by working quickly and thoroughly to investigate breaches to decrease the possibility that information will be compromised and used to perpetrate identity theft or other forms of harm. The IM program manages reports of IRS losses, thefts, and inadvertent disclosure of SBU data (including PII and tax information). Immediately upon discovery of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document containing sensitive information, personnel must report an incident/breach to the manager and the appropriate organizations based on what was lost or disclosed. Anyone discovering a breach must report the breach to the appropriate organizations. For more information about how to report an incident/breach, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.7.16 (09-24-2020) Pseudonym Incident Management (IM), within PGLD’s PPC, manages the IRS Pseudonym program. Under certain conditions (protection of personal safety, adequate justification, pre-approval, etc.), the Pseudonym program provides for the use of pseudonyms by IRS employees. The IRS Incident Management operation helps employees protect the privacy of these pseudonyms. See IRM 10.5.7, Use of Pseudonyms by IRS Employees 10.5.1.7.17 (09-24-2020) Safeguards The Safeguards program and staff are responsible for ensuring that federal, state, and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands. For more information about Safeguards, see the Safeguards site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. 10.5.1.7.18 (09-24-2020) Social Security Number Elimination and Reduction (SSN ER) Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), administers the Social Security Number Elimination and Reduction (SSN ER) program. This program’s goal is to implement regulatory requirements to eliminate or reduce the collection and use of SSNs in programs, processes, and forms. [OMB A-130] For more information, refer to the SSN ER site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. or email *PGLD SSN Reduction. 10.5.1.7.18.1 (03-23-2018) Acceptable Use of SSNs Use of SSNs is acceptable when any of these options mandates such use: Law/statute. Executive orders. Federal regulations. Business need (e.g., the inability to alter systems, processes, or forms due to costs or unacceptable level of risk). 10.5.1.7.18.2 (09-24-2020) SSN Necessary-Use Criteria SSN ER compliance requires owners of forms, notices, letters, and systems to apply the following SSN necessary-use criteria to determine whether SSN use is justifiable and necessary: Apply the SSN Necessary-Use Criteria Based on the definition of the necessary and/or acceptable use of SSNs: 1. Provide an accurate and complete citation of what authority (legislative mandate, regulation, or executive order) justifies SSN usage. 2. Consider how the SSN is used throughout the information lifecycle (reviewing all forms, notices, letters, and systems), and take into account the following regarding SSN data: - Acquisition/collection - Conversion/use and display - Migration/transmission - Storage - Deletion/disposal 3. Determine whether the SSN is a critical component to the business process, which cannot be performed or achieved without the use of the SSN. The owner must describe in detail those existing operational dependencies. Note: Procedures for completing and submitting Form 14132, Social Security Number Elimination and Reduction Inventory, are contained in step c). Identify SSN Elimination and Reduction Solutions After identifying potential areas to reduce or eliminate SSN use, collaborate with business unit stakeholders to explore and identify feasible short- and long-term mitigation solutions, and submit a written mitigation plan to IPP vial email to *PGLD SSN Reduction. Develop a Mitigation Strategy for Existing Inventories Whether SSN use is determined to be necessary or unnecessary, develop and provide to PGLD/IPP a mitigation strategy for existing forms, notices, and letters inventories on Form 14132. When Creating New Forms, Notices, Letters, and Systems Business/system owners must practice due diligence when creating new forms, notices, letters and systems to ensure they apply the necessary-use criteria. For New... The Process Is... Forms W&I Media and Publications will ask form owners to consider the necessary use of SSNs on newly created forms. Justification must be provided for all forms requiring an SSN. The justification will become part of the form history folder. (For required Privacy Act Notification information, see the Notification Section of IRM 10.5.6.) Notices/Letters The Office of Taxpayer Correspondence will ask owners to consider use of SSNs on all newly created notices/letters. These questions and answers will become part of the interview file and maintained for documentation purposes. Systems Owners are required to complete a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system that will contain any personally identifiable information, including SSNs. The purpose of a PCLIA is to demonstrate that program/project managers and system owners and developers have consciously incorporated privacy and civil liberties protections throughout the entire lifecycle of a system. The Privacy Impact Assessment Management System will maintain the justification for SSN usage. Manage Inventory PGLD will use completed Forms 14132 to manage the SSN ER Program and to periodically report progress to Treasury and IRS executive leadership. Reassess Periodically Once every three years, business/systems owners must reassess any forms, notices, letters or systems to determine if conditions have changed that allow for the elimination or masking the SSN on their products. 10.5.1.7.19 (09-24-2020) SBU Data Use for Non-Production Environments Privacy Compliance and Assurance (PCA), within PGLD’s PPC, manages the SBU Data Use process for non-production environments. The SBU Data Use for non-production environments process helps Information Owners (IOs) and Authorizing Officials (AOs) know when SBU data (including PII or tax information) is being used in additional non-production environments, when appropriate. This process helps IOs and AOs, tasked with accepting risk on behalf of the IRS, to know and understand the movement of the SBU data outside the production environment and to ensure its protection. [DM-3] See IRM 10.5.8 (formerly IRM 10.8.8), Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments and that site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source. Exhibit 10.5.1-1 Glossary and Acronyms Term Definition or description AO Authorizing Official. ATO Authorization to Operate. Authorization To Operate (ATO) An Authorization to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to IRS operations. The ATO is signed after a Certification Agent (CA) certifies that the system has met and passed all requirements to become operational. Systems continue to operate under the same ATO following the Information System Continuous Monitoring (ISCM) process. Authorizing Official (AO) The Authorizing Official (AO) or accrediting official, shall be a senior management/executive official government employee with the authority to formally assume responsibility for operating a system at an acceptable level of risk. (Refer to IRM 10.8.2 for more information.) civil liberties The basic rights guaranteed to individual citizens by law. CSP Cloud Service Provider. Data Owner See Information Owner. DIRA Digital Identity Risk Assessment. employee information All employee information covered by the Privacy Act of 1974 (5 U.S.C. 552a, as amended). Examples include personnel, payroll, job applications, disciplinary actions, performance appraisals, drug tests, health exams and evaluation data. Most employee information falls under a category called Privacy. ELC Enterprise Life Cycle. electronic mail message (email) A record created or received on an electronic mail system including briefing notes, more formal or substantive narrative documents, and any attachments, such as word processing and other electronic documents, which may be transmitted with the message. Email is normally not encrypted and may be exchanged with recipients who are operating in a separate technology environment (domain), outside IRS control. electronic media Electronic media are electronic copy or devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, office equipment, and many other types listed in Appendix A of NIST Special Publication 800-88, Guidelines for Media Sanitization. employees IRS employees, which includes: 1. Employees 2. Seasonal/temporary employees 3. Interns 4. Detailees EP Employee Protection, within PGLD’s Privacy Policy and Compliance (PPC). Federal tax information (FTI) Any return or return information received from the IRS or secondary source, such as SSA etc. FTI includes any information created by the recipient that is derived from return or return information. (Internal Revenue Code (IRC) 6103, Confidentiality and disclosure of returns and return information.) FTI is under the Tax category. This IRM uses the term tax information to encompass all types of tax data. FedRAMP Federal Risk and Authorization Management Program. fictionalized data Fictional examples of similar situations that contain neither the identity of the taxpayer nor any information that could be considered attributable to a particular taxpayer. Such examples would not require any designation as sensitive. FIPS Federal Information Processing Standards. FISMA Federal Information Security Modernization Act of 2014. FTI Federal Tax Information as defined by (IRC 6103. Also a subcategory under Tax, along with the other categories Tax Convention, Taxpayer Advocate Information, Written Determinations. GL Governmental Liaison. GRS General Records Schedules -Document 12829. hardcopy Hardcopy media are physical representations of information, most often associated with paper printouts. However, printer and facsimile ribbons, drums, and platens are all examples of hardcopy media. The supplies associated with producing paper printouts are often the most uncontrolled. Hard copy materials containing sensitive data that leave an organization without effective sanitization expose a significant vulnerability to "dumpster divers" and over-curious employees, risking unwanted information disclosures. [NIST Special Publication 800-88, Guidelines for Media Sanitization] IAD IRS Agreement Database. IA Identity Assurance, within PGLD. IM Incident Management, within PGLD’s PPC. Information Owner (IO) Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. Information Systems Vulnerability Information Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. IO Information Owner. IoT Internet of Things. IoT involves sensing, computing, communication, and actuation. [NIST SP 800-183] The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. IoT devices are an outcome of combining the worlds of information technology (IT) and operational technology (OT). Many IoT devices are the result of the convergence of cloud computing, mobile computing, embedded systems, big data, low-price hardware, and other technological advances. IoT devices can provide computing functionality, data storage, and network connectivity for equipment that previously lacked them, enabling new efficiencies and technological capabilities for the equipment, such as remote access for monitoring, configuration, and troubleshooting. IoT can also add the abilities to analyze data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events. [NIST IR 8228] IPP Information Protection Projects, under PGLD’s Identity and Records Protection (IRP). IRC Internal Revenue Code. IRP Identity and Records Protection, under PGLD. law enforcement sensitive information Law enforcement data is often sensitive in nature. The Law Enforcement category includes the subcategories: Accident Investigation Campaign Funds Committed Person Communications Controlled Substances Criminal History Records Information DNA General Law Enforcement Informant Investigation Juvenile Law Enforcement Financial Records National Security Letter Pen Register/Trap & Trace Reward Sex Crime Victim Terrorist Screening Whistleblower Identity Some of the types of law enforcement data that the IRS might see includes grand jury, informant, and undercover operations information, and procedural guidance. layered security Where layered and complementary privacy and security controls are deemed sufficient to deter and detect unauthorized entry within the area. Examples include, but are not limited to, use of perimeter fences, employee and visitor access controls, use of an intrusion detection system, random guard patrols throughout the facility during non-working hours, closed circuit video monitoring or other safeguards that mitigate the vulnerability of open storage areas without alarms and security storage cabinets during non-working hours. Also sometimes referred to as Security in depth (refer to IRM 10.2.11). legal Legal data is often sensitive in nature. The Legal category includes the subcategories: Administrative Proceedings Child Pornography Child Victim/Witness Collective Bargaining Federal Grand Jury Legal Privilege Legislative Materials Pre-sentence Report Prior Arrest Protective Order Victim Witness Protection Some of the types of legal data that the IRS might see include draft, predecisional, and deliberative information. live data Production data in use. MCD Major Change Determination. MER Milestone Exit Release. NDA Non-Disclosure Agreement. NIST National Institute of Standards & Technology. OFDP Online Fraud Detection and Prevention, within IT Cybersecurity. other protected information Other protected information includes any knowledge or facts received by or created by IRS in support of IRS work. This includes all information covered by the Trade Secrets Act, the Procurement Integrity Act, and similar statutes. Examples include, but are not limited to: Records about individuals requiring protection under the Privacy Act. Information that is not releasable under the Freedom of Information Act. Proprietary data or proprietary business information. Procurement sensitive data, such as contract proposals. Information, which if modified, destroyed or disclosed in an unauthorized manner could cause: loss of life, loss of property or funds by unlawful means, violation of personal privacy or civil rights, gaining of an unfair procurement advantage by contractors bidding on government contracts, or disclosure of proprietary information entrusted to the Government. System sensitive information or Information Systems Vulnerability Information: Information related to the design and development of application source code. Specific IT configurations, where the information system security configurations could identify the state of security of that information system; Internet Protocol (IP) addresses that allow the workstations and servers to be potentially targeted and exploited; and source code that reveals IRS processes that could be exploited to harm IRS programs, employees or taxpayers. Security information containing details of serious weaknesses and vulnerabilities associated with specific information systems and/or facilities. Any information, which if improperly used or disclosed could adversely affect the ability of the IRS to accomplish its mission. PCA Privacy Compliance and Assurance. PCLIA Privacy and Civil Liberties Impact Assessment; replaced PIA for most privacy assessments. See IRM 10.5.2 for more information. personnel IRS personnel or users, which includes: 1. Employees 2. Seasonal/temporary employees 3. Interns 4. Detailees 5. Consultants 6. IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers) Subcategory of data in Privacy category. personally identifiable information (PII) Per OMB Circular A-130: ‘Personally identifiable information’ means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. To determine whether information is PII, the agency shall perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available – in any medium and from any source – that would make it possible to identify an individual. In General Privacy subcategory of Privacy category. Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7). PGLD Privacy, Governmental Liaison and Disclosure. PHI Personal Health Information; can be a type of SBU data. Also, a specific type of Health Information (part of the Privacy category). PIA Privacy Impact Assessment; replaced by PCLIA at IRS for most privacy assessments. See IRM 10.5.2 for more information. PIAMS Privacy Impact Assessment Management System. PII Personally Identifiable Information. PPC Privacy Policy and Compliance. PPKM Privacy Policy and Knowledge Management, under PGLD’s Privacy Policy and Compliance (PPC). privacy Privacy at the IRS reflects the combined effort of the IRS, its personnel, and individual taxpayers to protect, control, and exercise rights over the collection, use, retention, dissemination, and disposal of personal information. Privacy Compliance and Assurance (PCA) Organization that owns and manages the PCLIA, BPRA, SBU Data Use programs for IRS. privacy culture Where all personnel think about privacy before taking action. In such an environment or culture, protecting privacy guides the day-to-day practices and routines of each individual. privacy and information lifecycle The series of uses and status of information. It includes the creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal of SBU data (including PII and tax information) regardless of format. Information life cycle means the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. [OMB A-130] Also described as designation, safeguarding, marking, sharing (accessing and disseminating), destruction, and decontrol. Privacy Principles The IRS Privacy Principles describe how the IRS protects an individual’s right to privacy. Protecting taxpayer privacy and safeguarding confidential tax information is a public trust. To maintain this trust, the IRS and its personnel must follow the privacy principles. Privacy Requirements Mandatory IRS system requirements derived from IRS Privacy Principles and linked to the Privacy Controls, form the basis for privacy protection within the IRS. They mirror the IRS Privacy Principles and provide high-level privacy requirements applicable to the IRS Enterprise Architecture. PVR IRS Privacy Requirements (see Privacy Requirements). QQ Qualifying Questionnaire (see PCLIA). RAFT Risk Acceptance Form and Tool. RBD Risk-Based Decision. RCS Records Control Schedules -Document 12990 return Any tax or information return, estimated tax declaration, or refund claim (including amendments, supplements, supporting schedules, attachments, or lists) required by or permitted under the IRC and filed with the IRS by, on behalf of, or with respect to any person or entity (IRC 6103(b)(2)(B)). Also included as Federal Taxpayer Information, in the Tax category. return information In general, is any information collected or generated by the IRS with regard to any person’s liability or possible liability under the IRC. IRC 6103(b)(2)(A) defines return information as very broad. Also included as Federal Taxpayer Information, in the Tax category. RIM Records and Information Management. SBU Sensitive But Unclassified. SBU data Any information which, if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act (5 U.S.C. 552a). [TD P 15-71] SBU data includes but is not necessarily limited to: Federal Tax Information (FTI), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, system information, enforcement procedures, investigation information. Live data, which is defined as production data in use. Live means that when changing the data, it changes in production. The data may be extracted for testing, development, etc., in which case, it is no longer live. Live data often contains SBU data. For more information regarding security protections of Sensitive But Unclassified (SBU) data, refer to IRM 10.8.1. SCIF Sensitive Compartmented Information Facility (an enclosed area within a building that is used to process sensitive data). SLA Staff-Like Access. SP Special Publication (NIST). SSN ER Social Security Number Elimination and Reduction. staff-like access [From IRM 10.23.2 ] Staff-like access (SLA) is the authority granted to perform one or more of the following: Enter IRS facilities or space (owned or leased) unescorted (when properly badged). Possess login credentials to information systems (IRS or vendor-owned systems that store, collect, and/or process IRS information). Possess physical and/or logical access to (including the opportunity to see, read, transcribe, and/or interpret) Sensitive but Unclassified (SBU) data, wherever the location. (See IRM 10.5.1 for examples of SBU data.) Possess physical access to (including the opportunity to see, read, transcribe, and/or interpret) security items and products (e.g., items that must be stored in a locked container, security container, or a secure room, wherever the location. These items include, but are not limited to security devices/records, computer equipment, Identification media. For additional guidance, see IRM 10.2.15 , Minimum Protection Standards (MPS) Enter physical areas, wherever the location, that store/process SBU information (unescorted). SLA is granted to an individual who is not an IRS employee (and includes, but is not limited to: contractors/subcontractors, whether procured by IRS or another entity, vendors, delivery persons, experts, consultants, paid/unpaid interns, other federal employees, cleaning/maintenance employees, etc.), and is approved upon required completion of a favorable suitability/fitness determination conducted by IRS Personnel Security. survey Any data collection method, including but not limited to surveys, focus groups, interviews, pilot studies, and field tests. Refer to IRM 10.5.2 for more information. synthetic data Data that does not contain SBU data; however, it imitates data as it appears in an actual taxpayer’s file and does not require the submission of a SBU Data Usage and Protection request. system information Included in Critical Infrastructure category, also known as information systems vulnerability information. This term includes passwords and vulnerabilities. tax information Any information that is obtained or used in the preparation of a tax return (Pub 4557, Safeguarding Taxpayer Data: A Guide for Your Business). For the purpose of this IRM, the terms tax data and tax information include return and return information as defined in IRC 6103(b). The Tax category, including: Federal Taxpayer Information. Tax Convention. Taxpayer Advocate Information. Written Determinations. TIGTA Treasury Inspector General for Tax Administration. UNAX Unauthorized Access to taxpayer accounts. The Taxpayer Browsing Protection Act (1997) forbids the willful unauthorized access or inspection of taxpayer records. UNAX site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements UUID Universally Unique Identifier, a unique random number generated for each individual taxpayer in the electronic authentication process (eAuth). It is PII. Exhibit 10.5.1-2 References This section lists the primary privacy statutes, regulations, guidelines, OMB Memoranda, and other materials that drive the privacy programs. Many of these can be found on the Federal Privacy Council’s website in the law library section.https://www.fpc.gov/law-library/ Laws, Acts, Mandates, and OMB Memos Privacy Act of 1974 (5 U.S.C. 552a; Pub. L. No. 93-579), December 1974. Computer Matching and Privacy Protection Act (1988). Freedom of Information Act (FOIA) (1974). Note: FOIA was amended by the OPEN Government Act of 2007, Pub. L. No. 110-175, 121 Stat. 2524 (2007). The FOIA was subsequently amended by the FOIA Improvement Act of 2016, Pub. L. 114-185. IRC 6103 E-Government Act (2002) [Pub.L. 107–347, 116 Stat. 2899, 44 U.S.C. 3501 Note, H.R. 2458/S. 803], December 2002. Federal Information Security Modernization Act of 2014 (FISMA, Pub. L. No. 113-283, Title II), December 2014. Protecting Americans from Tax Hikes Act of 2015https://www.congress.gov/bill/114th-congress/house-bill/2029/text Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. 2510 et seq. Taxpayer First Act of 2019. Executive Orders The link for Executive Orders is:https://www.federalregister.gov/executive-orders Executive Order 10450, Security Requirements for Government Employment, April 1953. Executive Order 13556, Controlled Unclassified Information, November 2010. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013. Executive Order 13681, Improving the Security of Consumer Financial Transactions, October 2014. OMB Circularshttps://www.whitehouse.gov/omb/information-for-agencies/circulars/ OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act OMB Circular No. A-130, Management of Federal Information Resources OMB Memoshttps://www.whitehouse.gov/omb/information-for-agencies/memoranda/ The list of OMB Memos is: M-01-05 – Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy. M-03-22 – OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. M-10-22 – Guidance for Online Use of Web Measurement and Customization Technologies. M-10-23 – Guidance for Agency Use of Third-Party Websites and Applications. M-12-20 – FY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. [FAQ 51] M-14-04 – Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. [FAQ 60] M-16-24 – Role and Designation of Senior Agency Officials for Privacy. M-17-06 – Policies for Federal Agency Public Websites and Digital Services. M-17-09 – Management of Federal High Value Assets. M-17-12 – Preparing for and Responding to a Breach of Personally Identifiable Information. M-19-17 – Enabling Mission Delivery through Improved Identity, Credential, and Access Management. M-19-21 – Transition to Electronic Records. Department of the Treasury Treasury Directive Publication (TD P) 15-71, Treasury Security Manual. TD P 25-04, Privacy Act Handbook. Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance. TD P 85-01, Treasury Information Technology (IT) Security Program, December 12, 2017. IRS On the IRS Source (links in Hyperlinks for Other Privacy-Related Programs document on PGLD Disclosure and Privacy Knowledge Base): Cybersecurity Authorized software Office of Disclosure (*Disclosure) Office of Safeguards (*Safeguard Reports) Privacy, Governmental Liaison and Disclosure (email *Privacy) SA&A Taxpayer Bill of Rights, codified in IRC 7803(a)(3):https://www.irs.gov/taxpayer-bill-of-rights Related IRMs: IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD) IRM 11.3 series, Disclosure of Official Information. IRM 1.15 series, Records and Information Management. IRM 10.8 series, especially: IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance. IRM 10.8.2, Information Technology (IT) Security, Roles and Responsibilities. IRM 10.8.24, Information Technology (IT) Security, Cloud Computing Security Policy. IRM 10.8.26, Information Technology (IT) Security, Government Furnished and Personally Owned Mobile Computing Device Security Policy. IRM 10.8.27, Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources. IRM 10.23.2, Personnel Security, Contractor Investigations. NIST The link for National Institute of Standards and Technology (NIST) Special Publication (SP):https://csrc.nist.gov/publications/sp SP 800-18, Guide for Developing Security Plans for Federal Information Systems, February 2006. SP 800-28 Version 2, Guidelines on Active Content and Mobile Code, March 2008. SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, September 2012. SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, December 2018. SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011. SP 800-44 Version 2, Guidelines on Securing Public Web Servers, September 2007. SP 800-45 Version 2, Guidelines on Electronic Mail Security, February 2007. SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, July 2016. SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002. SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, January 2015. Appendix J, Privacy Control Catalog. SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, December 2014. SP 800-55 Rev. 1, Performance Measurement Guide for Information Security, July 2008. SP 800-59, Guideline for Identifying an Information System as a National Security System, August 2003. SP 800-60 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008. SP 800-63, Electronic Authentication Guideline, July 2017. SP 800-63-3, Digital Identity Guidelines, December 2017: Digital Identity Guidelines: Enrollment and Identity Proofing. Digital Identity Guidelines: Authentication and Lifecycle Management. Digital Identity Guidelines: Federation and Assertions. SP 800-83 Rev. 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, July 2013. SP 800-88 Rev. 1, Guidelines for Media Sanitization, December 2014. SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April 2010. SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, September 2011. SP 800-163 Rev. 1, Vetting the Security of Mobile Applications, April 2019. SP 800-183, Networks of ‘Things’, July 2016. IR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, June 2019. The link for FIPS publications is:https://csrc.nist.gov/publications/fips Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems. Federal Information Processing Standards (FIPS) Publication 201, Personal Identity Verification of Federal Employees and Contractors. National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management. Additional information regarding the NIST publications noted above is available on the NIST website:https://csrc.nist.gov/ More Internal Revenue Manual