The mission of PGLD is to preserve and enhance public confidence by advocating for the protection and proper use of identity information.

The privacy and security of taxpayer and employee information is one of the IRS's highest priorities. PGLD administers privacy and records management policy and initiatives and coordinates privacy and records management-related actions throughout the IRS. [OMB A-130]

PGLD is committed to ensuring the protection of SBU data, including taxpayer and employee PII, from unauthorized access. The organization identifies and reduces threats to privacy and increases awareness of criminal activities aimed at compromising this information. PGLD also leads IRS privacy and records management policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS. [OMB A-130, IP-4]

This IRM defines the uniform policies used by IRS personnel and organizations to carry out their responsibilities related to privacy.

This IRM establishes the minimum baseline privacy policy and requirements for all IRS SBU data (including PII and tax information) in order to:

It is acceptable to employ practices that are more restrictive than those defined in this IRM.

It is the policy of the IRS:

The Director, PGLD, is the IRS Chief Privacy Officer. For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and PGLD’s Disclosure and Privacy Knowledge Base on IRS Source.

The audience to which the provisions in this manual apply includes:

For the purpose of this IRM, the following terms apply. Hereinafter, this IRM refers to IRS personnel, which includes all categories below:

Privacy Policy and Knowledge Management (PPKM) under PGLD’s Privacy Policy and Compliance (PPC) develops privacy policy in accordance with applicable laws, mandates, guidance, mission, and input from other stakeholders. See the References section in Exhibit 10.5.1-2.

For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and PGLD’s Disclosure and Privacy Knowledge Base on IRS Source.

All business units are stakeholders regarding privacy.

This IRM serves as the framework for IRS privacy policy and an introduction to PGLD.

This policy establishes the privacy context for the development of related subordinate IRMs, IRS publications, and subordinate procedural guidance such as Standard Operating Procedures (SOP) and Desk Procedures.

Subordinate IRMs offer additional privacy program protection information.

Subordinate procedural guidance provides detailed guidance for implementing and complying with the requirements within this IRM. For further information, see PGLD’s Disclosure and Privacy Knowledge Base on IRS Source.

If IRM 10.5.1 conflicts with or varies from the subordinate IRMs in the 10.5 series or guidance, IRM 10.5.1 takes precedence, unless the subordinate IRM is more restrictive or otherwise noted.

This policy assigns responsibilities and lays the foundation necessary to measure privacy progress and compliance.

PGLD’s Privacy Policy and Knowledge Management (PPKM) implements relevant privacy statutes, regulations, guidelines, OMB Memoranda, and other requirements. Various statutes, such as the Privacy Act, FISMA, and Paperwork Reduction Act mandate compliance with OMB policy and NIST guidance, giving them the force of law.

The Taxpayer Bill of Rights, codified in IRC 7803(a)(3), requires the IRS to protect taxpayer rights to privacy and confidentiality.

In an effort to reference the origin of a privacy policy cited later in this IRM (National Institute of Standards and Technology (NIST), Treasury, etc.), this IRM may reference a requirement’s origin in brackets at the end of the guidance, such as [PVR-xx] (IRS Privacy Principles and Privacy Requirements), [AP-01] (NIST Privacy Controls), or [TD P 85-01] (Treasury Directive Publications). If no specific origin reference appears, multiple origins may apply. Lack of a reference citation does not indicate no origin applies.

The primary laws include:

The most relevant OMB Circulars and Memos are:

Relevant NIST guidance includes:

The relevant Department of the Treasury directives and publications are:

For a full listing of and links to privacy-related statutes, regulations, guidelines, OMB Memoranda, and other materials relevant to this IRM, see Exhibit 10.5.1-2, References.

The concept of a privacy and information lifecycle refers to the creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal of SBU data (including PII and tax information), regardless of format. [OMB A-130]

IRS personnel must protect SBU data (including PII and tax information) throughout the privacy lifecycle, from receipt to disposal.

Sensitive But Unclassified (SBU) data is any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act. For the full definition, refer to TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information.

SBU data includes, but is not limited to:

All IRS personnel must protect SBU data. Personnel must restrict access, inspection, and disclosure of SBU data to others who have a need to know the information. [PVR-05]

SBU data includes categories of protected information which many IRS personnel handle on a daily basis, such as PII and tax information. It also includes other categories, such as procurement (which can include general procurement and acquisition, small business research and technology, and source selection) and system information (which can include critical infrastructure categories like information systems vulnerability information, physical security, emergency management).

Personnel must determine if the SBU data is necessary to do business (does it support the business purpose of the system or the organization’s mission?). If it does not serve a valid business purpose, then the IRS must not collect that SBU data. If that SBU data does serve a business purpose, then the IRS may use it throughout the privacy lifecycle appropriately. For more information, see the IRS Privacy Principles section in IRM 10.5.1.3.2. [Privacy Act; PVR-02; PVR-03]

Complete a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system using SBU data. Refer to IRM 10.5.2, Privacy and Information Protection, Privacy Compliance and Assurance, for more information about PCLIAs.

SBU data in a public record is still SBU data, however different protections apply. To determine if publicly available SBU data or SBU data in the public record is still sensitive, see the Public Record section in IRM 10.5.1.2.3.2.

For more information on PII, see the Protecting and Safeguarding SBU Data and PII section in IRM 10.5.1.6.1.

Personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. [OMB A-130]

For IRS purposes:

The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.

Personnel should know that non-PII can become PII whenever additional information becomes available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual. [NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII); OMB Memorandum M-10-23]

See the Examples and Categories of PII section in IRM 10.5.1.2.3.1 for more information.

Refer to the PGLD Disclosure and Privacy Knowledge Base on IRS Source. .

Submit a PCLIA for any system using PII. Refer to IRM 10.5.2 for more information about PCLIAs.

PII in a public record is still PII; however, different protections apply. To determine if publicly available PII or PII in the public record is still sensitive, see the Public Record section in IRM 10.5.1.2.3.2.

For more information on PII, see the Protecting and Safeguarding SBU Data and PII section in IRM 10.5.1.6.1.

The term tax information, or Federal Tax Information (FTI), refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC 6103. This law defines return information as any information the IRS has about a tax return or liability determination. This return information includes, but is not limited to, a taxpayer’s:

Redacting, masking, truncating, or sanitizing tax information does not change its nature. It is still tax information.

Tax information in IRS business processes comes under many names, such as FTI, IRC 6103-protected information, 6103, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII. The term "live data" should not be used to describe tax information, unless it is in a production environment as discussed in the Sensitive But Unclassified (SBU) Data section in IRM 10.5.1.2.2.

Tax information is SBU data. IRC 6103 protects tax information from unauthorized disclosure. When tax information relates to an individual, that SBU data is also PII. [IRC 6103(b)(2)]

Submit a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system using SBU data (including PII and tax information). Refer to IRM 10.5.2 for more information about PCLIAs.

See these subsections in this IRM for more information:

For more information about return information and a definition, refer to IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure.

The term UNAX defines the act of committing an unauthorized access or inspection of any tax information contained on paper or within any electronic format. An access or inspection is unauthorized if it is done without a management-assigned IRS business need.

The IRS created the unauthorized access or inspection of tax information and records (UNAX) program to implement privacy protection and statutory unauthorized access and browsing prevention requirements.

UNAX is governed by the Taxpayer Browsing Protection Act. For more information about UNAX, refer to IRM 10.5.5, RS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

While statutory UNAX (based on the Taxpayer Browsing Protection Act) refers to unauthorized access to tax information, unauthorized access to SBU data is governed by other statutes and by Treasury and IRS policy. [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information]

The term unauthorized access of SBU data defines the act of committing an unauthorized access or inspection of any SBU data (not tax information) contained on paper or within any electronic format. An access or inspection is unauthorized if it is done without a management-assigned IRS business need.

See Sensitive But Unclassified (SBU) Data, IRM 10.5.1.2.2, and Need to Know IRM 10.5.1.2.8.

Refer to 18 U.S. Code 1030 - Fraud and related activity in connection with computers; 44 U.S. Code Chapter 35 (44 U.S.C. 3551-3558); and Privacy Act of 1974, 5 U.S.C. 552a.

The Privacy Act of 1974 (Privacy Act) forms the core of IRS privacy policy. It provides certain safeguards for an individual against an invasion of personal privacy by requiring federal agencies to:

The Privacy Act applies to agency records retrieved by an identifier for an individual.

The term "record" includes, but is not limited to, education, financial transactions, medical history, and criminal or employment history and that contains name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or a photograph.

Privacy Act information is PII because it identifies individuals. Therefore, it is also SBU data. As with any other SBU data, disclosure must be restricted to persons authorized to have access to the information pursuant to the Privacy Act

For more information on the Privacy Act, refer to IRM 10.5.6, Privacy Act.

Restrict access to SBU data (including PII and tax information) to those IRS personnel who have a need for the information in the performance of their duties.

The term "need to know" describes the requirement that personnel may access SBU data (including PII and tax information) only as authorized to meet a legitimate business need, which means that they need the information to perform their duties. See examples later in this section for explanations of how need to know applies to duties.

Personnel (including current employees, rehired annuitants, returning contractors, etc.) who change roles or assignments may access only the SBU data (including PII and tax information) for which they still have a business need to know to perform their duties. If they no longer have a business need to know, they must not access the information. This policy includes, but is not limited to, information in systems, files (electronic and paper), and emails, even if technology does not prevent access.

Personnel must ensure their own adherence to this need-to-know policy.

This standard is less stringent than a "cannot function without it" test. For each use, personnel must consider whether they can perform their official duties properly, efficiently, or appropriately without the information. Necessary for official duties in this context does not mean essential or indispensable, but rather appropriate and helpful in obtaining the information sought.

Personnel who have a need to know must be informed of the protection requirements under the law by management and must have an appropriate level of clearance through a background investigation, typically covered by the onboarding and training process.

Need to know supports the "relevant and necessary" aspect of the Purpose Limitation Privacy Principle and the Privacy Act. It conveys the statutory restrictions to disclose protected information to those who have an authorized need for the information in the performance of their duties. The Strict Confidentiality Privacy Principle requires this, as does the NIST Privacy Control for Privacy Monitoring and Auditing and Security Controls in the Access Control family. [PVR-02; PVR-05; Privacy Act; IRC 6103 and 7803(a)(3); UNAX; Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance; AR-4; NIST 800-53]

Access to classified national security information requires more stringent controls which are addressed in IRM 10.9.1, National Security Information.

Refer to IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for information about Access by IRS Employees Based on Need to Know.

The NIST Special Publication (SP) 800-53 (Rev. 4), Appendix J, outlines 26 privacy controls in eight (8) groups designed to protect privacy for the lifecycle of PII. These controls establish a relationship between privacy and security controls.

OMB A-130 mandates implementation of NIST privacy controls.

The IRS applies NIST privacy controls within its Privacy Principles and Privacy Requirements. See the IRS Privacy Principles section in IRM 10.5.1.3.2 to view the connections.

The IRS conducts privacy continuous monitoring through its comprehensive privacy program. [OMB A-130]

The public trusts the IRS and its personnel to protect taxpayer privacy and safeguard confidential tax information.

The IRS is dedicated to meeting this expectation. All IRS personnel are required to conduct their actions in a way that reflects a commitment to treat individuals fairly, honestly, and respectfully, and protect their right to privacy at all times. [OMB A-130]

Protecting taxpayer privacy and safeguarding confidential tax information is a public trust. To maintain this trust, the IRS and its personnel must follow these privacy principles:

The IRS derived the privacy principles from the Fair Information Practice Principles (FIPPs) and the Privacy Act.

IRS Policy Statement 1-1 reflects these principles in the Policy Statements for Organization, Finance and Management Activities section of IRM 1.2.1, Servicewide Policies and Authorities – Policy Statements for Organization, Finance and Management Activities.

IRS personnel (as defined in the Audience section in IRM 10.5.1.1.2) must:

IRS personnel must follow privacy and security responsibilities outlined in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities.

In addition to the Employee/Personnel responsibilities, Management must also:

In addition to the Employee/Personnel and Management responsibilities, Senior Management/Executives must also:

In addition to the Employees/Personnel responsibilities, IRS system owners must:

In addition to the Employees/Personnel responsibilities, System Developers must:

In addition to the Employee/Personnel and Management responsibilities, the Authorizing Official (AO) must develop and maintain additional operational documentation (such as action and implementation plans, standard operating procedures) necessary for implementation of the privacy controls, delineated in the IRM 10.5 series.

The AO holds responsibility for implementation of privacy, including documentation and procedures for how their information systems are managed, administered, and monitored.

In addition to the Employee/Personnel responsibilities, personnel engaged in procurement-related activities must:

The IRS’s Clean Desk Policy and containerization objectives are designed to address the protection of SBU data (including PII and tax information) throughout the privacy lifecycle. The Clean Desk Policy requirements apply to data left out in work areas (including those in telework and offsite locations) and non-secured containers, on credenzas, desk tops, fax/copy machines, conference rooms, and in/out baskets. [TD P 15-71; PVR-01, PVR-05, PVR-06]

All SBU data (including PII and tax information) in non-secured areas must be containerized during non-duty hours.

Protected data must be locked in containers in areas where non-IRS personnel have access during non-duty hours and/or when not under the direct control of an authorized IRS employee. For additional information, refer to the Containers section in IRM 10.2.14, Methods of Providing Protection.

For some pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers, the volume of the tax information processed and the disruption to these operations might prevent containerization and Clean Desk implementation. Clean Desk Waivers are required for these areas. Clean Desk Waiver requirements are:

IRS Privacy in Practice includes protecting privacy in systems and safeguarding privacy in everyday business practices. All IRS activities should contain an element of privacy. A culture of privacy prevails through Privacy in Practice; from systems development to customer service, training, communications, passwords, and the Clean Desk Policy.

PGLD Privacy Policy and Compliance (PPC) employees serve as privacy advocates and consultants for IRS personnel and projects.

Designing privacy into projects is a key aspect of effective privacy policy and compliance at the IRS.

Invite PPC privacy employees whenever necessary at all project stages.

Refer to Privacy in Practice Quick Reference Guide (Document 13291)

To request assistance or for further information, email *Privacy.

Refer to the Enterprise Architecture site on IRS Source.

Regardless of the risk, IRS personnel must protect and safeguard SBU data (including PII and tax information). This means personnel must properly use SBU data throughout the privacy lifecycle.

The following requirements stem from TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information.

IRS personnel must be aware and comply with safeguarding requirements for SBU data. Personnel must also be aware that divulging SBU data without proper authority could result in administrative or disciplinary action (including termination of contract). The lack of an SBU marking does not mean the information is not sensitive nor does it relieve the creator or holder of such information from responsibility to appropriately safeguard the information from unauthorized use or inadvertent disclosure.

Personnel must take steps to prevent the possibility of such disclosure by non-IRS personnel. Personnel must deny unauthorized non-IRS personnel access to other than those areas which have been established for serving the public.

Personnel must follow the IRS Clean Desk Policy in IRM 10.5.1.5.1.

IRS officials who use SBU data are responsible for determining how long the information must be protected, for example, either by date or lapse of a determinable event.

IRS security officials must provide routine oversight of measures in place to protect SBU data through a program of routine administration and day-to-day management of their information security program.

IRS supervisors and program managers are responsible for personnel being trained to recognize and safeguard SBU data supporting their mission, operations, and assets. Supervisors and managers must also ensure an adequate level of education and awareness is maintained by affected personnel. Education and awareness must begin upon initial personnel assignment and annually reinforced through mandatory training, staff meetings, or other methods/media contributing to an informed workforce.

IRS personnel must protect SBU data supporting their mission, operations, and assets. Protection efforts must focus on preventing unauthorized or inadvertent disclosure and especially when visitors enter areas where SBU data is handled, processed, discussed, or stored. This includes being aware of surreptitious and accidental threats posed by high-end communications technologies carried/used by personnel and visitors, such as cell phones (with or without photographic capability), personal data assistants/digital assistants, smart devices, Internet of Things (IoT), portable/pocket computers, cameras, and other video imaging recorders, flash drives, multi-functional, and two-way pagers, and wireless devices capable of storing, processing, or transmitting information.

IRS program managers and contracting officials must also require appropriate privacy and security contract clauses for personnel, facilities, and information protection through the acquisition process of contracts or grants that concern access to SBU data.

Encryption is an important tool in the IRS’s protection of SBU data (including PII and tax information). [OMB A-130, PVR-06]

For more details about emailing and encrypting SBU data, see the Email section in IRM 10.5.1.6.8.

Any SBU data (including PII and tax information) on a computer (such as a server, desktop, or mobile computing device [such as a laptop, tablet, smartphone, etc.]) must be protected, locked (such as a screen saver), secured physically, and kept within sight and/or control.

IRS personnel must use encryption, access controls, and physical security measures as appropriate for the equipment and setting.

Protect equipment. Securely lock computers (such as a server, desktop, or mobile computing device [such as a laptop, tablet, smartphone, etc.]) or other equipment (such as flash drives, CDs, external drives) when left unattended, whether in the office, in the home, or in a hotel room. Use the IRS-provided cables and cable locks to secure laptops when working in regular work space (worksite), working out of the office, or in travel status.

For more information about secured wireless access points (wi-fi hotspots), refer to the Telework section in IRM 10.5.1.6.11 and the AC-18 Wireless Access section in IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.

IRS personnel must prevent SBU data loss throughout the privacy lifecycle.

If such a loss occurs:

For a brief description of the Incident Management program, see the Incident Management section in IRM 10.5.1.7.15.

For more information about how to report an incident, refer to IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

The Treasury Security Manual [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information] requires that information designated as SBU data (including PII and tax information) and requiring such marking must be distinctly labeled so persons authorized access are readily aware of its sensitivity. IRS-specific marking requirements are also addressed in IRM 11.3.12, Designation of Documents. The lack of SBU markings, however, does not relieve the holder from safeguarding responsibilities. Unmarked SBU information already in records storage does not need to be removed, marked, and restored. However, when individual items are temporarily removed from storage that have no markings (and are subsequently deemed to be SBU), those will be appropriately marked to reflect the correct status as SBU before being re-filed.

Protective measures start when markings are applied and end when such markings are cancelled or the records are destroyed.

Although SBU is Treasury’s standard for identifying sensitive information, some types of SBU information might be more sensitive than others and warrant additional safeguarding measures beyond the minimum requirements established herein. Certain information might be extremely sensitive based on repercussions if the information is released or compromised – potential loss of life or compromise of a law enforcement informant or operation. IRS and its personnel must use sound judgment coupled with an evaluation of the risks, vulnerabilities, and the potential damage to personnel or property/equipment as the basis for determining the need for safeguards in excess of the minimum requirements contained herein.

A green Sensitive But Unclassified (SBU) Cover Sheet, Other Gov TDF 15-05.11, , must be placed on documents that contain SBU material to prevent unauthorized or inadvertent disclosure when SBU information is removed from an authorized storage location and persons without a need-to-know are present or casual observation would reveal SBU information.

For storage of SBU data (including PII and tax information), refer to IRM 10.8.1 about limiting access to need-to-know personnel and for encryption requirements.

For storage of federal records, refer to IRM 1.15 series, Records and Information Management.

For managers handling employee performance files (EPFs), refer to the sections:

SBU data (including PII and tax information) transmitted from one location to another must be provided adequate safeguards.

Refer to the Transporting Documents section of IRM 11.3.1.

IRS personnel must use IRS email accounts to conduct IRS official business. (TD P 85-01)

The Protecting Americans from Tax Hikes (PATH) Act of 2015, Section 402, Division Q of the Consolidated Appropriations Act of 2016 reads:

Manage emails used for business communications as IRS records.

IRS personnel hold a legal responsibility to protect all IRS SBU data (including PII and tax information) entrusted to us by taxpayers, fellow personnel, and other individuals.

For more information about emailing outside the IRS, see the following subsections in this IRM for policy about taxpayers and representatives, other external stakeholders, IRS accounts, and personal email.

When authorized to email SBU data, encrypt SBU data in emails using IRS IT-approved encryption technology. Do not include SBU data (including PII or tax information, such as name control) in the email subject line.

IRS IT-approved encryption technology includes:

Refer to these IRMs for additional policy:

Documents with SBU data (including PII and tax information) must be destroyed by properly shredding, burning, mulching, pulping, or pulverizing beyond recognition and reconstruction. Ensure IRS records (hardcopy and electronic), including those containing PII, are managed appropriately and in accordance with the Records Control Schedules (RCS) Document 12990 and General Records Schedules (GRS) Document 12829 to prevent unlawful/unauthorized destruction of records.

Waste material (hardcopy, electronic, etc.) with SBU data must be placed in locked receptacles specifically marked for sensitive information (shred material, burn, sensitive, etc.). This includes material shredded with non-compliant equipment that does not meet Treasury requirements cited in (1) above. Sensitive waste material must not be discarded in regular trash bins. The guidelines provided below must be followed in order to ensure the proper destruction of sensitive waste material.

Exception to locked receptacles requirement: Burn bags/shred boxes for Temporary Storage

The fact that material has been identified for destruction does not change the requirement to provide appropriate protective measures. Waste material with SBU data must be provided the protection equal to that required by the most protected item.

Disposition and destruction of tax information must be in accordance with the Records and Information Management IRM 1.15.2, Types of Records and Their Life Cycle, IRM 1.15.3, Disposing of Records, and IRM 1.15.6, Managing Electronic Records.

Although IRS personnel might know the proper methods of destroying tax data, management must reinforce this knowledge by including document destruction as a topic in orientation sessions, periodic group meetings, and other awareness sessions.

Unshredded sensitive information may be turned over to a contractor provided the contract includes necessary safeguards that will ensure compliance with IRC 6103(n) requirements, provides for periodic safeguard reviews, and includes language describing methods of collection, pick-up, storage, and disposition.

In the event tax information media is to be collected and destroyed by an independent contractor, to preclude the necessity of having an IRS employee present during destruction, the contract must include the safeguard provisions required by IRC 6103(n) and regulations therein.

There may be areas or activities where the volume of paper documents containing tax information is sufficient to make it more practical to destroy all documents in the area of activity.

Policy regarding personally owned GPS device usage and location services (geolocation) on devices balances the business needs of field employees voluntarily using these devices and the privacy and security concerns related to the SBU data that might be contained in the devices. The purpose of the following is to minimize the risk of exposing SBU data and to prevent unauthorized disclosures. [IRC 6103, Privacy Act]

Special privacy considerations arise in the telework environment. Like all personnel, teleworking personnel have a responsibility to safeguard SBU data (including PII and tax information). Unique potential risks, such as family members accidentally taking case files left out on a desk, or overhearing phone calls with tax information, create the need for additional guidelines.

For more information on Telework requirements, refer to IRM 6.800.2, Employee Benefits, IRS Telework Program.

Personnel should be aware of their environment as they conduct business at an approved telework location.

When establishing a home office, personnel should evaluate the nature of their work and the level of sensitivity around the information they handle on a day-to-day basis, per the Equipment and Furniture section of IRM 6.800.2.

No unsecured wireless access point (w-fi hotspot) can be used as a regular telework location. For more information about secured wireless access points (wi-fi hotspots), refer to the AC-18 Wireless Access section in IRM 10.8.1.

Teleworking personnel should adhere to the following guidelines. For bargaining unit employees, should any of the guidelines conflict with a provision of a negotiated agreement, the agreement will prevail. Individual office practices may supplement this information.

Teleworking personnel should consider:

Digital assistants, smart devices, Internet of Things (IoT), and other devices that can record or transmit sensitive audio or visual information must not be allowed to compromise privacy in the work or telework environment. These devices typically contain sensors, microphones, cameras, data storage components, speech recognition, GPS or location options, and other multimedia capabilities. These features could put the privacy of personnel and/or taxpayers at risk due to the personal information that might be unwittingly disclosed. When working on any form of SBU data (including PII and tax information), follow these rules:

Bring your own device (BYOD) is a concept that allows personnel to utilize their personally‐owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer‐provided services and/or data on their personal tablets/e-readers, smartphones, and other devices.

To protect the privacy of the tax information, BYOD participants must:

For the privacy of the BYOD employee, the employee may block the outgoing phone number of the personal device per IT4U BYOD guidance on their site on IRS Source.

Refer to IRM 10.8.26, Government Furnished and Personally Owned Mobile Computing Device Security Policy, and IRM 10.8.27, IRS Policy on Limited Personal Use of Government IT Resources.

For more information about BYOD, see also the IT4U BYOD site on IRS Source.

Privacy and civil liberties often overlap.

Civil liberties are the rights of people to do or say things that are not illegal without being stopped or interrupted by the government (due process). For example, the U.S. Constitution’s Bill of Rights guarantees civil liberties:
https://www.archives.gov/founding-docs/bill-of-rights

The Privacy Act provides for privacy and civil liberties protections, outlined in the First Amendment section in IRM 10.5.1.6.13.1 and detailed in the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

Through the Taxpayer Bill of Rights, codified in IRC 7803(a)(3), the IRS makes taxpayer privacy (with due process) and confidentiality essential rights that help protect their civil liberties:
https://www.irs.gov/taxpayer-bill-of-rights

The Privacy Act also allows for due process rights, as it forms the basis for the IRS Privacy Principles.

Many existing privacy policy and compliance requirements, including the IRS Privacy Principles, also protect civil liberties. For example, the principle of Data Quality ensures fair treatment [PVR-07]. The principle of Access, Correction, and Redress ensures due process [PVR-09], as do the principles of Openness and Consent [PVR-04], and Verification and Notification [PVR-08].

The IRS further addresses civil liberties protections through the PCLIA. The PCLIA reinforces Privacy Act requirements regarding the collection of First Amendment activities information and monitoring of individuals (see the Monitoring Individuals section in IRM 10.5.1.6.13.3 ).

Refer to IRM 10.5.2 for more information on the PCLIA process.

For more information, refer to the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

For more information, refer to Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance.

The IRS has privacy obligations for contractors with access to SBU data (including PII and tax information). As outlined in the IRS Privacy Principle of Accountability and NIST Privacy Control AR-3, Privacy Requirements for Contractors and Service Providers, the IRS must:

Employees responsible for procurement activities on contracts that involve SBU data (including PII and tax information) must therefore:

Refer to IRM 10.23.2, Contractor Investigations, or the Procurement site on IRS Source.

Do not post SBU data (including PII and tax information) online, including IRS official internal or external websites or cloud-based systems or services, unless secured with IT-approved access controls by the IRS (or by an IRS vendor bound by contract to protect the information). [NIST SP 800-122, TD P 85-01]

Persistent cookies or other tracking devices to monitor the public's visits may not be used on an IRS Internet site except as authorized by OMB regulations.

Online data may require several types of notices:

For any Privacy Policy notice approval, email *Privacy.

For policy on authentication of individuals in online transactions, see the Electronic Authentication section in IRM 10.5.1.7.10.

The IRS uses social media to share the latest information on tax changes, initiatives, products, and services. To expand reach to taxpayers and stakeholders, the IRS shares information on several social media platforms, including Twitter, Facebook, and LinkedIn.

Because the use of social media allows potential direct interaction with the public, the IRS implemented specific rules to ensure only authorized employees speak in an official capacity. With the exception of approved IRS communicators handling official IRS media initiatives, IRS employees are not authorized to use social media in an official capacity. Refer to the Social Media Guidelines for IRS Employees site on IRS Source.

For more information about Internet research guidelines, refer to the Use of Social Networking and Other Internet Sites by IRS Employees for Compliance Research or for Other Purposes section in IRM 11.3.21, Investigative Disclosure

Personal, non-work usage of these social media tools on personal devices must not compromise the confidentiality of SBU data (including PII or tax information) or the integrity of the IRS. With the exception of approved IRS communicators handling official IRS media initiatives, IRS personnel are not authorized to use social media in an official capacity and should adhere to the Communications and Liaison guidelines. Refer to the Social Media site on IRS Source.

To use any existing IRS social media tools in communications plans or outreach initiatives, business units must use the appropriate social media authorization form or contact the appropriate social media platform owner.

If an IRS organization would like to consider use of a new social media platform, they must submit a New Media Use Authorization Form for approval by the IRS Social Media Governance Council, along with a Social Media PCLIA.

For more information on Social Media PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, or the Social Media site on IRS Source.

This policy does not apply to PII the IRS proactively makes available to all personnel on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), intranet, and SharePoint site collections), such as names and business contact information.

Some of the privacy risks associated with collaborative data sites include:

The data residing on collaborative data sites require privacy protections. These protections must include:

Refer to the SC-15 Collaborative Computing Devices section in IRM 10.8.1 for additional information.

Although IRC 6103(h) (1) permits the disclosure of tax information to IRS personnel for the purposes of tax administration to the extent the individual obtaining that access has a "need to know," IRS employees must avoid the use of tax information in training.

For more information about fictionalizing data, see the PGLD Fictitious Identifying Information Examples page and the Disclosure Requirements section of IRM 6.410.1, Learning and Education, Learning and Education Policy.

For more information about training material and official use only requirements, refer to IRM 11.3.12, Designation of Documents, and IRM 1.11.2, Internal Management Documents System, Internal Revenue Manual (IRM) Process.

Privacy Policy and Knowledge Management (PPKM), within PGLD’s PPC, oversees and coordinates the IRS Privacy Council. [AR-1]

The purpose of the IRS Privacy Council is to:

To accomplish these objectives, the IRS Privacy Council members will:

The IRS privacy community participates in the Federal Privacy Council (FPC) to identify federal agency best practices, build and strengthen collaboration with other agencies, and conduct outreach as appropriate. See the References section in Exhibit 10.5.1-2 for the link to the FPC website and resources.

For more information, email *Privacy or refer to the IRS Privacy Council site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Privacy Compliance and Assurance (PCA), within PGLD’s PPC, supports the IRS in recognizing the importance of protecting the privacy of taxpayers and employees, balancing the need for information collection with the privacy risks. The vehicle for addressing privacy issues in a system is the PCLIA. [OMB A-130]

If the IRS procures, uses, or develops IT to process (collect, maintain, or disseminate) PII, the IRS must consider the privacy protections with a PCLIA. [E-Government Act]

For more information about the PCLIA process, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, or the PCLIA site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Privacy Compliance and Assurance (PCA), within PGLD’s PPC, uses the Business PII Risk Assessment (BPRA) program to assess privacy risks in IRS processes. The BPRA addresses the impact of privacy risks in the same way an IT security risk assessment addresses the impact of security risks to the IRS. [OMB A-130]

For more information about the BPRA program, email *Privacy or see the BPRA page on the PCA site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Treasury is mandated by Congress to maintain a listing of all systems that contain PII. The database is designed to assist the Treasury in maintaining a detailed inventory of its PII holdings. [SE-1, OMB A-130]

For more information about the Treasury PII Holdings Report, email *Privacy.

Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), administers the Unauthorized Access to Taxpayer Accounts (UNAX) program.

The term UNAX is used to define the act of committing an unauthorized access, attempted access or inspection (commonly referred to as UNAX) of any tax information contained on paper or within any electronic format without a management-assigned IRS business need.

For more information, refer to IRM 10.5.5, IRS Unauthorized Access, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

Refer to the UNAX site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Mandatory briefings deliver required IRS-wide training – including the Privacy Information Protection and Disclosure and UNAX briefings managed by the PGLD offices of PPKM and IPP, respectively.

For more information about mandatory briefings, refer to the Mandatory Briefings page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Records and Information Management (RIM) Office within IRP supports the IRS mission and programs by promoting current information, guidance, and awareness of the importance of managing records throughout the IRS. The RIM program addresses the requirements for recordkeeping, protection, review, storage, and disposal.

The public expects that IRS records are available where and when they are needed, to whom they are needed, for only as long as they are needed, in order to conduct business, adequately document IRS activities, and protect the interests of the federal government and American taxpayer. All IRS records are required under the Federal Records Act to be efficiently managed until final disposition.

Refer to IRM 1.15.7, Records and Information Management, Files Management, for additional information.

Disclosure, within PGLD’s Governmental Liaison, Disclosure and Safeguards (GLDS), supports the Disclosure program. Disclosure safeguards confidential records, from the mailroom to the Commissioner’s office. The word "sensitive" encompasses every type of SBU data from tax records to personal employee data.

Tax returns and return information are to be considered SBU data. 26 USC 6103 provides the general rule that tax returns and return information are confidential and can not be disclosed except as provided by Title 26.

IRM 11.3 series, Disclosure of Official Information, contains guidelines governing whether tax returns and other information contained in IRS files may be disclosed. Disclosure may not be made unless IRC 6103 authorizes disclosure and not before requirements in IRC 6103 and IRM 11.3 series are met. The Office of Government, Liaison and Disclosure must approve proposed disclosures and ensure they meet the requirements of an exception in Title 26 before disclosure.

Before disclosing IRS information (tax information, proprietary information, processes, system information, etc.), contact Disclosure to ensure that the information may be disclosed or what can/should be redacted.

See the Disclosure site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

See also the external site for submitting a FOIA Request:
https://www.irs.gov/privacy-disclosure/irs-freedom-of-information

Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA]) is a joint effort between IT Cybersecurity and Online Services to establish a framework for establishing authentication risk consistently across online web-based electronic transactions.

To ensure privacy and security, agencies must authenticate users of their web-based or online transactions before permitting access to information entrusted to them. The DIRA process evaluates the risk of a transaction to determine the applicable assurance level on three component parts, referred to as Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL).

For information about risk assessments of online services, contact *IT Cyber CPO DIRA.

To ensure privacy and security, agencies must authenticate web-based or online transaction users before permitting access to information. In the Identity and Access Management domain, the e-Authentication (eAuth) framework uses this process to guide business units with the implementation of online applications/transactions.

For more information, see the DIRA section in IRM 10.5.1.7.9. Refer to the Secure Access e-Authentication section in IRM 21.2.1, Systems and Research Programs, Systems. Refer to the e-Authentication site on IRS Source.

The IT Enterprise Life Cycle (ELC) office manages the ELC program.

The IRS ELC is the methodology by which the IRS manages project activities through established standard processes.

For more information about the ELC, refer to IRM 2.16.1, Enterprise Life Cycle (ELC), ELC Guidance, or the ELC site on IRS Source.

Governmental Liaison (GL) facilitates, develops, and maintains relationships with federal, state, and local governmental agencies and IRS operating and functional divisions on strategic IRS programs. All IRS personnel should contact GL prior to contacting any governmental agency regarding initiatives or data exchanges.

GL maintains the IRS Agreement Database (IAD), which includes:
Formal agreements that GL established with U.S. federal, state and local governmental agencies and IRS business units to exchange data, and tax and non-tax information that require PGLD oversight for privacy, disclosure, and safeguarding. (Internet service agreements, LBI treaty and Foreign Account Tax Compliance Act agreements, Agreements with 6103(k)(6) disclosures and IRC 6103(c) consent-based disclosures with non-government agencies are excluded.)

For more information about GL, see IRM 11.4.1, Communications and Liaison, Office of Governmental Liaison, Governmental Liaison Operations.

For more information about GL’s programs, see their page on IRS Source:

Identity Assurance (IA) provides oversight and strategic direction for authentication, authorization, and access processes of taxpayer information. IA also delivers externally facing IRS services across all channels while protecting taxpayer data from fraudsters and identity thieves.

For more information about IA, see the IA site on IRS Source.

Architecture and Implementation under Cybersecurity supports IT security policy and implementation.

IT security and privacy issues go hand-in-hand. Information Technology security policy describes how to protect IT environments, while privacy policy describes how to protect individuals’ information in those IT environments. Information Technology focuses on protecting the systems, the network, and the applications that house the data. Privacy focuses on protecting the individual represented by the data.

For more information about IT security policy and references, see IRM 10.8.1 and the rest of the IRM 10.8 family.

For more information about the Cybersecurity program, see the Cybersecurity site on IRS Source.

Incident Management (IM), within PGLD’s PPC, is dedicated to assisting taxpayers and personnel potentially impacted by IRS breaches by working quickly and thoroughly to investigate breaches to decrease the possibility that information will be compromised and used to perpetrate identity theft or other forms of harm.

The IM program manages reports of IRS losses, thefts, and inadvertent disclosure of SBU data (including PII and tax information).

Immediately upon discovery of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document containing sensitive information, personnel must report an incident/breach to the manager and the appropriate organizations based on what was lost or disclosed.

Anyone discovering a breach must report the breach to the appropriate organizations.

For more information about how to report an incident/breach, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Incident Management (IM), within PGLD’s PPC, manages the IRS Pseudonym program.

Under certain conditions (protection of personal safety, adequate justification, pre-approval, etc.), the Pseudonym program provides for the use of pseudonyms by IRS employees. The IRS Incident Management operation helps employees protect the privacy of these pseudonyms.

See IRM 10.5.7, Use of Pseudonyms by IRS Employees

The Safeguards program and staff are responsible for ensuring that federal, state, and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

For more information about Safeguards, see the Safeguards site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), administers the Social Security Number Elimination and Reduction (SSN ER) program.

This program’s goal is to implement regulatory requirements to eliminate or reduce the collection and use of SSNs in programs, processes, and forms. [OMB A-130]

For more information, refer to the SSN ER site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.
or email *PGLD SSN Reduction.

Privacy Compliance and Assurance (PCA), within PGLD’s PPC, manages the SBU Data Use process for non-production environments.

The SBU Data Use for non-production environments process helps Information Owners (IOs) and Authorizing Officials (AOs) know when SBU data (including PII or tax information) is being used in additional non-production environments, when appropriate. This process helps IOs and AOs, tasked with accepting risk on behalf of the IRS, to know and understand the movement of the SBU data outside the production environment and to ensure its protection. [DM-3]

See IRM 10.5.8 (formerly IRM 10.8.8), Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments and that site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.