The PGLD vision is to lead the nation in privacy rights protection. The PGLD mission is to preserve privacy and enhance public trust through proper authentication, access, disclosure, retention, and protection of all data and records.

The privacy and security of taxpayer and personnel information is one of the IRS's highest priorities. PGLD owns privacy and records management policy and initiatives and coordinates privacy and records management-related actions throughout the IRS. [OMB A-130]

PGLD is committed to ensuring the protection of SBU data, including taxpayer and personnel PII, from unauthorized access. The organization identifies and reduces threats to privacy and increases awareness of criminal activities aimed at compromising this information. PGLD also leads IRS privacy and records management policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS. [OMB A-130]

This IRM defines the uniform policies used by IRS personnel and organizations to carry out privacy-related responsibilities.

This IRM establishes the minimum baseline privacy policy and requirements for all IRS SBU data (including PII and tax information) to:

You may use practices that are more restrictive than those defined in this IRM.

It is the policy of the IRS to protect privacy and safeguard confidential tax information. For more information, review IRM 10.5.1.3.2, IRS Privacy Principles.

The Director, PGLD, is the IRS Chief Privacy Officer (CPO). The Director, PPC, is the Bureau Privacy and Civil Liberties Officer (BPCLO). For more information about PGLD, refer to IRM 1.1.27, Privacy, Governmental Liaison and Disclosure (PGLD), and the internal PGLD Disclosure and Privacy Knowledge Base.

Treasury houses the Senior Agency Official for Privacy (SAOP) for the IRS, while the IRS CPO is the executive director responsible for the IRS privacy program.

The audience to which the provisions in this manual apply includes:

For this IRM, IRS personnel or users includes:

Authorized or Unauthorized personnel applies to whether they are authorized or not authorized to perform an action. To be authorized, all personnel must have a need to know and must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, records management briefings, and all other specialized privacy training) and background investigations before given access to SBU data (including PII and tax information). [OMB A-130]

Privacy Policy and Knowledge Management (PPKM) under PGLD’s Privacy Policy and Compliance (PPC) develops privacy policy following applicable laws, mandates, guidance, mission, and input from other stakeholders. Review Exhibit 10.5.1-2, References.

For more information about PGLD, refer to IRM 1.1.27, Privacy, Governmental Liaison and Disclosure (PGLD), and the internal PGLD Disclosure and Privacy Knowledge Base.

All business units are stakeholders for privacy.

This IRM serves as the framework for IRS privacy policy and an introduction to PGLD.

This policy establishes the privacy context for the development of related subordinate IRMs, IRS publications, and subordinate job aids such as Standard Operating Procedures (SOP).

Subordinate IRMs offer added privacy program protection information.

If IRM 10.5.1 conflicts with or varies from the subordinate IRMs in the IRM 10.5 series or guidance, IRM 10.5.1 takes precedence, unless the subordinate IRM is more restrictive or otherwise noted.

Where this policy cites a subsection, it includes by reference its subsections.

Where this policy uses the term includes, it gives examples, not an all-inclusive list. This means the list of items after that does not limit the references to exclude something not listed.

To deviate from privacy policy, follow the Form 14675, Decision Making Framework Risk Acceptance Form and Tool (RAFT), process in consultation with the CPO. [OMB A-130, TD P 85-01] The executive or other senior official with the authority to formally assume responsibility for the process must sign the RAFT as the approver. The RAFT clearly documents business decisions in the context of risk appetite and acceptance. Send the RAFT to PPKM for review for compliance with privacy laws and regulations. PPKM will not grant exceptions to bypass laws or mandates. Send RAFT review requests via email to *Privacy (give topic name in subject line and add Attn: CPO RAFT review). For RAFT guidance, refer to the internal Office of the Chief Risk Officer site.

This policy assigns responsibilities and lays the foundation necessary to measure privacy progress and compliance.

PGLD’s Privacy Policy and Knowledge Management (PPKM) implements relevant privacy statutes, regulations, guidelines, OMB Memoranda, and other requirements. Various statutes, such as the Privacy Act, Federal Information Security Modernization Act (FISMA), and Paperwork Reduction Act mandate compliance with OMB policy and NIST guidance, giving them the force of law.

The Taxpayer Bill of Rights (TBOR) lists rights that already existed in the tax code, putting them in simple language and grouping them into 10 fundamental rights. Employees are responsible for being familiar with and acting in accord with taxpayer rights. Refer to IRC 7803(a)(3), Execution of Duties in Accord with Taxpayer Rights. For more information about the TBOR, refer to Taxpayer Bill of Rights (external). The TBOR requires the IRS to protect taxpayer rights to privacy and confidentiality.

To reference the origin of a privacy policy cited later in this IRM (such as a law, OMB, NIST, or Treasury), this IRM may reference a requirement’s origin in brackets at the end of the guidance, such as [Strict Confidentiality] (IRS Privacy Principles), [AC-01] (NIST SP 800-53 Security and Privacy Controls), or [TD P 85-01] (Treasury Directive Publications). If no specific origin reference appears, multiple origins may apply. Lack of a reference citation does not mean that no origin applies.

For a full list of authority references, review Exhibit 10.5.1-2, References.

The primary laws include:

The most relevant OMB circulars and memos include:

Relevant NIST guidance includes:

Relevant Department of the Treasury directives and publications include:

The IRS cites the authorities and purposes (namely tax administration) for processing PII on its System of Records Notices (SORNs) published in the Federal Register and on other required privacy documentation, such as the PCLIA, before information collection. All IRS personnel must restrict the processing of PII to only that which is authorized and for the purposes collected. [Privacy Act; NIST SP 800-53]

Primary authorities for processing PII include:

IRS Policy Statements 1-1 and 10-2 support these authorities in:

Review IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities.

Business units hold responsibility for managing their program and showing how effectiveness and objectives are measured within the scope of this IRM.

For PGLD program management and review, the IRS formally documents its privacy program in Pub 5499, IRS Privacy Program Plan.

The NIST technical security and privacy controls address federal IT systems.

Business units hold responsibility for showing and documenting the program controls developed to oversee their program as well as ensuring employee compliance with all applicable elements of this IRM.

For PGLD program controls, the IRS formally documents its privacy program in Pub 5499, IRS Privacy Program Plan.

The NIST technical security and privacy controls address federal IT systems. For all the controls relevant to privacy, review IRM 10.5.1.8, NIST SP 800-53 Security and Privacy Controls.

Review Exhibit 10.5.1-1, Glossary and Acronyms.

Review Exhibit 10.5.1-2, References.

The concept of a privacy and information lifecycle refers to the creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal of SBU data (including PII and tax information), regardless of format. [OMB A-130]

IRS personnel must protect SBU data (including PII and tax information) throughout the privacy lifecycle, from receipt to disposal.

This IRM uses the term processing to refer to all the steps in the privacy lifecycle.

Sensitive but unclassified (SBU) data is any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act. For the full definition, refer to TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information.

SBU data includes:

All IRS personnel must protect SBU data. Personnel must restrict access, inspection, and disclosure of SBU data to others who have a need to know the information. This restriction applies to SBU data the IRS processes and makes available to taxpayers and other outside parties. IRS personnel must remove access from non-IRS personnel when the need no longer exists. Review IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data. [Strict Confidentiality]

SBU data includes categories of protected information which many IRS personnel handle daily, such as PII and tax information. It also includes other categories, such as procurement (which can include general procurement and acquisition, small business research and technology, and source selection) and system information (which can include critical infrastructure categories like information systems vulnerability information, physical security, and emergency management).

Personnel must decide if the SBU data is necessary to do business (does it support the business purpose of the system or the organization’s mission?). If it does not serve a valid business purpose, then the IRS must not collect that SBU data. If that SBU data does serve a business purpose, then the IRS may use it throughout the privacy lifecycle properly. For more information, review IRM 10.5.1.3.2, IRS Privacy Principles. [Privacy Act; Purpose Limitation; Minimizing Collection, Use, Retention, and Disclosure]

All IRS personnel must identify and mark SBU data as such following IRM 10.5.1.6.5, Marking. SBU data so marked is not meant for public release. [TD P 15-71]

SBU data in a public record is still SBU data, but different protections apply. To decide if publicly available SBU data or SBU data in the public record is still sensitive, review IRM 10.5.1.2.3.2, Public Record.

Constitutionally required disclosures: Some situations require disclosure of information, including SBU data, such as criminal cases where the IRS has a constitutional obligation to disclose, upon the defendant's request, evidence material either to guilt or punishment (exculpatory evidence). For more details, refer to IRM 11.3.35, Requests and Demands for Testimony and Production of Documents.

Complete a Qualifying Questionnaire for any system using SBU data to decide when it has PII and needs a Privacy and Civil Liberties Impact Assessment (PCLIA). Refer to IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment (PCLIA). [RA-08]

For more information on PII, review IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data and PII.

Personally identifiable information (PII) means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. [OMB A-130]

For IRS purposes:

Information permitting the physical or online contacting of a specific individual [E-Government Act section 208(b)(1)(A)(ii)(II)] is the same as information in identifiable form, [OMB M-03-22] which means that it is PII.

The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.

Non-PII can become PII when more information becomes available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual. [NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII); OMB M-10-23]

Review IRM 10.5.1.2.3.1, Examples and Categories of PII, for more information.

PII is SBU data. You may mark it as PII to meet the SBU data marking requirement in IRM 10.5.1.6.5, Marking.

If PII is related to a tax account, it is also tax information or FTI. If PII is also tax information, you may mark it as FTI to highlight its sensitivity to meet the SBU data marking requirement in IRM 10.5.1.6.5, Marking.

Privacy Act information is PII, but not all PII is a Privacy Act record. Review IRM 10.5.1.2.7, Privacy Act Information.

Submit a PCLIA for any system using PII. Refer to IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment (PCLIA). [RA-08]

PII in a public record is still PII, but different protections apply. To decide if publicly available PII or PII in the public record is still sensitive, review IRM 10.5.1.2.3.2, Public Record.

You must protect PII as you do any SBU data. For more information on PII, review IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data and PII.

The term tax information, or federal tax information (FTI), refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC 6103. This law defines return information as any information the IRS has about a tax or information return, liability, or potential liability under Title 26. This return information includes a taxpayer’s:

Redacting, masking, or truncating tax information does not change its nature. It is still tax information.

Tax information in IRS business processes comes under many names, such as FTI, IRC 6103 protected information, 6103, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII. Do not use the term "live data" to describe tax information, unless in a production environment as discussed in IRM 10.5.1.2.2, Sensitive But Unclassified (SBU) Data.

Tax information is SBU data. IRC 6103 protects tax information from unauthorized disclosure. When tax information relates to an individual, that SBU data is also PII. [IRC 6103(b)(2)]

You may mark tax information as FTI to meet the SBU data marking requirement in IRM 10.5.1.6.5, Marking.

You must protect tax information as you do any SBU data. Review IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data.

Submit a PCLIA for any system using tax information. Refer to IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment (PCLIA). [RA-08]

Review these subsections in this IRM for more information:

For more information about return information and a definition, refer to IRM 11.3.1.4, Disclosure and Safeguarding of Returns and Return Information.

The term UNAX defines the act of committing an unauthorized access or inspection of any tax information contained on paper or within any electronic format. An access or inspection is unauthorized if done without a management-assigned IRS business need.

The IRS created the unauthorized access or inspection of tax information and records (UNAX) program to implement privacy protection and statutory unauthorized access and browsing prevention requirements.

The Taxpayer Browsing Protection Act defines UNAX. For more information about UNAX, refer to the internal UNAX site and IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance, and Requirements.

While statutory UNAX (based on the Taxpayer Browsing Protection Act) refers to unauthorized access to tax information, other statutes, Treasury, and IRS policy govern unauthorized access to SBU data. [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information]

The term unauthorized access of SBU data defines the act of committing an unauthorized access or inspection of any SBU data (not tax information) contained on paper or within any electronic format. An access or inspection is unauthorized if done without a management-assigned IRS business need.

Review IRM 10.5.1.2.2, Sensitive but Unclassified (SBU) Data, and IRM 10.5.1.2.8, Need To Know.

Refer to 18 U.S. Code 1030 - Fraud and related activity in connection with computers; 44 USC 3551-3558; and the Privacy Act.

The Privacy Act forms the core of IRS privacy policy. It provides certain safeguards for an individual against an invasion of personal privacy by requiring federal agencies to:

The Privacy Act applies to agency records retrieved by an identifier for an individual who is a US citizen or an alien permanently admitted to US residence. A group of these records is a system of records (SOR).

The term "record" includes education, financial transactions, medical history, and criminal or employment history, and that has name, or the identifying number, symbol, or other identifying element assigned to the individual, such as a fingerprint or a photograph.

Responsible IRS personnel must publish a System of Records Notice (SORN) in the Federal Register when establishing a new system of records, before retrieving the information by an identifier.

Privacy Act information is PII because it identifies individuals. That means it is also SBU data. As with any other SBU data, you must allow disclosure only to persons authorized to have access to the information under to the Privacy Act.

Personnel records are Privacy Act information when retrieved by an identifier. Refer to IRM 10.5.6.8, Personnel Records.

For more information on the conditions of disclosure, refer to IRM 10.5.6.2.2, Conditions of Disclosure Under the Privacy Act.

Restrict access to SBU data (including PII and tax information) to those IRS personnel who have a need for the information in the performance of their duties.

The term "need to know" describes the requirement that personnel may access SBU data (including PII and tax information) only as authorized to meet a legitimate business need, which means personnel need the information to perform official duties. Review examples later in this subsection for explanations of how need to know applies to duties.

Personnel (including current employees, rehired annuitants, and returning contractors) who change roles or assignments may access only the SBU data (including PII and tax information) for which they still have a business need to know to perform their duties. When you no longer have a business need to know, you must not access the information. This policy includes information in systems, files (electronic and paper), and emails, even if technology does not prevent access.

You must make sure you follow this need-to-know policy.

This standard is less stringent than a "cannot function without it" test. For each use, consider whether you need the information to perform official duties properly or efficiently. Necessary for official duties in this context does not mean essential or indispensable, but proper and helpful in obtaining the information sought.

Management must inform personnel who have a need to know of the protection requirements under the law and make sure they have the proper level of clearance through a background investigation, typically covered by the onboarding and training process.

Need to know supports the "relevant and necessary" aspect of the Purpose Limitation Privacy Principle and the Privacy Act. It conveys the statutory restrictions to disclose protected information to those who have an authorized need for the information in the performance of their duties. The Strict Confidentiality Privacy Principle requires this, as does the NIST Privacy Control for Privacy Monitoring and Auditing and Security Controls in the Access Control family. [Purpose Limitation; Strict Confidentiality; Privacy Act; IRC 6103 and 7803(a)(3); UNAX; Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance; NIST SP 800-53]

Access to CNSI requires more stringent controls outlined in IRM 10.9.1, Classified National Security Information.

Refer to IRM 11.3.22.2.1, Access by IRS Employees.

Authentication is the process of establishing or confirming that someone is the previously identified person they claim to be. For authentication policy, refer to IRM 10.10.3, Centralized Authentication Policy – Centralizing Identity Proofing for Authentication Across All IRS Channels.

Authentication makes sure that the individual is who they claim to be but says nothing about the access rights of the individual. For more information about authentication technical security controls, refer to IRM 10.8.1, Security Policy.

Authorization refers to both the legal authority (such as IRC 6103) and the organizational authority for processing data. For more information about tax information authorization, refer to IRM 11.3.1.2, Disclosure Code, Authority, and Procedure (CAP).

To be authorized, all personnel must have a need to know and must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, records management briefings, and all other specialized privacy training) and background investigations before given access to SBU data (including PII and tax information). [OMB A-130]

External authorization is the process that verifies that external parties have the legal rights or privileges to interact with the IRS on behalf of themselves or others (such as other government agencies, businesses, or individuals). Such authority might be by a formal request for information processed using established written procedures, a memorandum of understanding, or an executed agreement.

Authorization is required for any person or business conducting IRS business on another person’s behalf (such as tax return preparers).

IT authorization covers access privileges granted to a user, program, or process or the act of granting those privileges. Refer to the term authorization in IRM 10.8.1, Security Policy.

High security items are original or certified paper documents with SBU data (including PII and tax information), typically received and processed in IRS office controlled or limited areas, that management must not allow personnel to remove from the facility. These are highly sensitive documents in IRM 6.800.2.2.8, Denial of Telework Agreement Requests. Refer to IRM 10.2.14.3, Protecting Assets.

Send questions about high security items to the *Privacy mailbox.

OMB A-130 mandates federal agencies implement NIST security and privacy controls.

The IRS formally documents its privacy program in Pub 5499, IRS Privacy Program Plan.

These privacy and security controls are the technical controls that address federal IT systems. For all the controls relevant to privacy, review IRM 10.5.1.8, NIST SP 800-53 Security and Privacy Controls.

The subsection IRM 10.5.1.8, NIST SP 800-53 Security and Privacy Controls, is for technical management officials developing and supporting IT systems, including management, senior management and executives, system owners, system developers, and authorizing officials. For more information about these roles, refer to IRM 10.8.2.3, IT Security Roles and Responsibilities.

The NIST Special Publication (SP) 800-53 Revision 5 (Rev 5) controls establish a relationship between privacy and security controls. Per Section 2.4, Security and Privacy Controls:

The public trusts the IRS and its personnel to protect their privacy and safeguard their confidential information.

The IRS is dedicated to meeting this expectation. You must act in a way that shows a commitment to treat individuals fairly, honestly, and respectfully, and always protect their right to privacy. [OMB A-130]

Protecting privacy and safeguarding confidential information is a public trust. To keep this trust, the IRS and its personnel must follow these privacy principles:

The IRS derived the privacy principles from the Fair Information Practice Principles (FIPPs) and the Privacy Act. The Privacy Act requires that information be relevant, accurate, necessary, and timely (RANT).

The Taxpayer Bill of Rights (TBOR) lists rights that already existed in the tax code, putting them in simple language and grouping them into 10 fundamental rights. Employees are responsible for being familiar with and acting in accord with taxpayer rights. Refer to IRC 7803(a)(3), Execution of Duties in Accord with Taxpayer Rights. For more information about the TBOR, refer to Taxpayer Bill of Rights (external). The TBOR requires the IRS to protect taxpayer rights to privacy (with due process) and confidentiality as essential rights that help protect their civil liberties.

IRS Policy Statements 1-1 and 10-2 highlight these principles in:

The IRS Privacy Principles form an overarching privacy ethical framework for the IRS to apply to SBU data (including PII and tax information). Use of this framework promotes the integrity and trustworthiness the public expects and deserves.

For a poster of the IRS Privacy Principles, refer to Document 14540, IRS Privacy Roadmap. For more details on each of the privacy ethical principles, refer to the internal IRS Privacy Principles site.

IRS personnel (as defined in IRM 10.5.1.1.2, Audience) must follow the responsibilities in paragraphs (2) through (14).

Keep informed of and follow applicable IRS privacy policies and procedures, including the IRS Privacy Principles in IRM 10.5.1.3.2. This means carrying out the mission of the IRS, which requires the IRS to safeguard privacy and protect privacy rights. Review the IRS Privacy Principle in IRM 10.5.1.3.2.1, Accountability.

Limit access to records that include SBU data only to those authorized individuals with a need to know. You are always responsible for the information you share. Review the IRS Privacy Principles in IRM 10.5.1.3.2.3, Minimizing Collection, Use, Retention, and Disclosure, and IRM 10.5.1.3.2.5, Strict Confidentiality.

Use SBU data only for the purposes for which the IRS collected it. Review the IRS Privacy Principle in IRM 10.5.1.3.2.2, Purpose Limitation.

Limit the use and disclosure of SBU data to that which is necessary and relevant for tax administration and other legally mandated or authorized purposes. Review the IRS Privacy Principle in IRM 10.5.1.3.2.2, Purpose Limitation.

Prevent unnecessary access, inspection, and disclosure of SBU data in information systems, programs, electronic formats, and hardcopy documents by following proper safeguarding measures. Review the IRS Privacy Principles in IRM 10.5.1.3.2.5, Strict Confidentiality, and IRM 10.5.1.3.2.6, Security.

Safeguard IRS information and information systems entrusted to them. Review the IRS Privacy Principle in IRM 10.5.1.3.2.6, Security.

Use IRS email accounts for performance of official duties. Review the IRS Privacy Principle in IRM 10.5.1.3.2.1, Accountability.

Follow existing IT Security Policy and IRS System Security Rules (the IRS Rules of Behavior in the internal Business Entitlement Access Request System (BEARS)) on use of IRS-furnished equipment to process IRS information, not personally-owned or non-IRS furnished equipment (including cloud or web-based systems or services). These IRS Rules of Behavior serve as the rules of conduct required by the Privacy Act section (e)(9). Refer to IRM 10.8.1.4.1.19.1, Personally-Owned and Other Non-Government Furnished Equipment. Review the IRS Privacy Principle in IRM 10.5.1.3.2.6, Security. [PL-4; PS-06]

Complete IRS annual and role-based privacy, information protection, and disclosure training requirements, UNAX awareness briefings, records management awareness briefing, and all other specialized privacy training, as required. Review the IRS Privacy Principle in IRM 10.5.1.3.2.10, Privacy Awareness and Training.

Immediately complete Form 11377-E, Taxpayer Data Access, to document the access of tax information when direct case assignment does not support the access, the access was in error, or when the access may raise a suspicion of an unauthorized access. Review the IRS Privacy Principles in IRM 10.5.1.3.2.5, Strict Confidentiality, and IRM 10.5.1.3.2.6, Security.

Stay aware of the consequences of UNAX violations, including accessing your own records, those of coworkers, family, friends, celebrities, and other covered relationships. For information about the IRS-wide UNAX program and links to all UNAX forms, refer to the internal UNAX site. Review the IRS Privacy Principles in IRM 10.5.1.3.2.5, Strict Confidentiality, and IRM 10.5.1.3.2.6, Security.

Report incidents and data breaches immediately upon discovery to:

Follow privacy and security responsibilities outlined in IRM 10.8.1, Security Policy, and IRM 10.8.2, IT Security Roles and Responsibilities. Review the IRS Privacy Principle in IRM 10.5.1.3.2.6, Security.

In addition to the responsibilities in IRM 10.5.1.4.1, Employees and Personnel, management must follow the responsibilities in paragraphs (2) through (10).

Communicate IRS privacy policies and procedures clearly to all personnel in your organizations, ensuring awareness of their responsibilities to protect SBU data (including PII and tax information) and uphold applicable privacy laws, regulations, and IRS policies and procedures.

Make sure personnel with authorized access to SBU data receive training to carry out their roles and responsibilities consistent with IRS privacy policies. [OMB A-130]

Make sure all personnel in their respective organizations follow the IRS privacy policies and procedures. Also address any noncompliance and remedy it promptly, including, if necessary, the initiation of penalties for noncompliance following federal law and IRS personnel rules and regulations.

Prevent UNAX violations proactively in your respective areas. Make sure all personnel are trained and knowledgeable of the Taxpayer Browsing Protection Act of 1997, the consequences of UNAX violations for personnel, and that all personnel within their business area complete all IRS UNAX, privacy, information protection, and disclosure training requirements annually and as required for their position.

Make sure personnel use proper safeguards to prevent unintentional exposure to SSNs in cases where SSN use is necessary.

Use the SEID as the primary employee identifier as an alternative use for SSNs when possible.

Make sure personnel promptly complete PCLIAs for which you are the responsible official. Mitigate any privacy risks discovered. The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. For more information about the PCLIA process, refer to IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment (PCLIA), and IRM 2.31.1.4.4, OneSDLC Product Cycle Compliance Process. [RA-08]

Follow IRS records management requirements outlined in the IRM 1.15 series, Records and Information Management.

Make sure all personnel report incidents and data breaches immediately upon discovery to:

In addition to the responsibilities in IRM 10.5.1.4.1, Employees and Personnel, and IRM 10.5.1.4.2, Management, senior management and executives must also follow the responsibilities in paragraphs (2) though (7).

Coordinate with the Chief Privacy Officer (CPO) to develop, implement, maintain, and enforce a program to protect all SBU data (including PII and tax information) for which they are responsible following IRS privacy policies and procedures. [OMB A-130]

Focus special emphasis on the government-wide requirements to eliminate the unnecessary collection and use of SSNs as a personal identifier for employee and tax systems and programs. [OMB A-130]

Periodically assess and evaluate privacy awareness activities of your organization to set clear expectations for compliance with all requirements.

Allocate sufficient resources to follow IRS privacy policies and procedures. [OMB A-130]

Make sure the IRS uses alternative unique identifiers for internal and taxpayer systems and programs in place of SSNs when possible.

To deviate from privacy policy, follow the Risk Acceptance Form and Tool (RAFT) process in consultation with the CPO. [OMB A-130, TD P 85-01] For details, review IRM 10.5.1.1.5 (7), Background.

In addition to the responsibilities in IRM 10.5.1.4.1, Employees and Personnel, IRM 10.5.1.4.2, Management, and IRM 10.5.1.4.3, Senior Management and Executives, IRS IT system owners must follow the responsibilities in paragraphs (2) through (15).

Integrate information security and privacy fully into the system development process. [OMB A-130] This means to include privacy at the table for planning and discussion.

Follow applicable laws, regulations, and IRS privacy policies and procedures in the development, acquisition, implementation, operation, and disposal of all systems under their control. Follow the OneSDLC process. For more information about OneSDLC, refer to IRM 2.31.1, One Solution Delivery Life Cycle Guidance, or the OneSDLC site.

Follow the NIST SP 800-53 Security and Privacy Controls as cited in IRM 10.5.1.8 and IRM 10.8.1.

Limit the use of SBU data (including PII and tax information) throughout the privacy lifecycle to that which is minimally necessary for tax administration purposes or other legally authorized purposes.

Examine the use of SSNs in all information systems and programs, as well as hardcopy and electronic formats (for example, forms, printouts, screenshots, displays, electronic media, archives, and online storage repositories) and eliminate the unnecessary use of SSNs where identified.

Use adequate SSN alternatives, as necessary.

Make sure, where possible, that the IRS uses SBU data that is relevant, accurate, necessary, and timely (RANT).

Make sure that all new systems, systems under development, or systems undergoing major modifications with SBU data have in place a completed and approved PCLIA following federal laws and IRS policy, including the NIST SP 800-53 privacy controls. The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. [RA-08]

Work with Privacy Compliance and Assurance (PCA) to review approved PCLIAs to redact SBU data or PII from the PCLIA before posted to IRS.gov.

Coordinate with the system developer and PCA to document privacy risks identified on the PCLIA or privacy controls assessment in their Plans of Action and Milestones (POA&Ms) and to resolve them promptly.

Coordinate all inter-agency PII sharing agreements with PGLD’s Governmental Liaison, Disclosure, and Safeguards (GLDS) and other affected IRS entities that establish and monitor the sharing of PII with external entities.

Implement safeguards to establish and monitor internal and third-party agreements for SBU data protection and confidentiality.

Make sure that IRS personnel involved in the management, operation, programming, maintenance, or use of IRS information systems complete IRS UNAX and privacy, information protection and disclosure training before being granted access to those systems that include SBU data.

Make sure that IRS personnel who have access to SBU data for testing follow the requirements of IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the internal SBU Data Use Process site.

In addition to the responsibilities in IRM 10.5.1.4.1, Employees and Personnel, and IRM 10.5.1.4.2, Management, system developers must follow the responsibilities in paragraphs (2) through (9).

Integrate information security and privacy fully into the system development process. [OMB A-130] This means to include privacy at the table for planning and discussion.

Follow IRS privacy policies and procedures in the development, implementation, and operation of information systems for which they are responsible. Follow the OneSDLC process. For more information about OneSDLC, refer to IRM 2.31.1, One Solution Delivery Life Cycle Guidance, or the OneSDLC site.

Work with system owners to eliminate the unnecessary accessing, collecting, displaying, sharing, transferring, keeping, and using of SSNs in all IRS systems, especially personnel and tax systems.

Develop information systems that provide the ability to partially mask, truncate, or redact the SSN when the total elimination of the use of SSNs is not possible in both personnel and tax systems.

Establish, maintain, and test the management, operational, and technical controls to protect SBU data (including PII and tax information).

Complete system PCLIAs working with system owners and following IRS policy, if they are the responsible management official or designees. The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. [RA-08]

Coordinate with the system owners and PCA to resolve identified privacy risks and POA&Ms.

Perform system lifecycle reviews to ensure satisfactory resolution of privacy risks and give the results to the system owners.

In addition to the responsibilities in IRM 10.5.1.4.1, Employees and Personnel, and IRM 10.5.1.4.2, Management, the authorizing official (AO) (refer to IRM 10.8.2.3.1.7, Authorizing Official ) must follow the responsibilities in paragraphs (2) through (3).

Develop and maintain operational documentation (such as action and implementation plans, standard operating procedures) necessary for implementation of the privacy controls, outlined in the IRM 10.5 series, Privacy and Information Protection.

Implement privacy requirements, including documentation and procedures for managing, administering, and monitoring their information systems. For more information about this role, refer to IRM 10.8.2.3.1.7, Authorizing Official (AO).

In addition to the Employees and Personnel responsibilities in IRM 10.5.1.4.1, IRS contracting officers (COs), contracting officer’s representatives (CORs), and other personnel engaged in contract-related activities must follow the requirements in the subsections outlined in the following table, if they apply to their respective roles [Privacy Act, IRC 6103(n), OMB A-130]:

Contract privacy requirements apply to contractors, subcontractors, contractor employees, and subcontractor employees. Contract requirements flow down to subcontracts (which the IRS must approve) under the internal IRS Acquisition Policy (IRSAP) site Index C (pdf).

For more procurement information, refer to internal Office of the Chief Procurement Officer Customer Portal.

For more privacy information, refer to the internal contracts site.

For help with these responsibilities, email *Privacy.

The IRS has a clean desk policy. To protect SBU data (including PII and tax information) when not in your possession, you must lock it up. The clean desk policy requirements apply to data left out in work areas (including those in telework and offsite locations) and non-secured containers, on credenzas, desktops, printers, fax or copy machines, conference rooms, and in or out baskets. [TD P 15-71; Accountability, Strict Confidentiality, Security]

The clean desk policy also applies to online meetings. Keep a clean desk(top): apply the clean desk policy to your computer screen and anything in view of your camera. Close all applications and documents that don't apply to your call. Review IRM 10.5.1.6.18.2, Online Meetings.

IRS personnel must containerize all SBU data (including PII and tax information) in non-secured areas during non-duty hours.

Lock protected data in containers in areas where non-IRS personnel have access during non-duty hours or when not under the direct control of an authorized IRS employee. For more information, refer to IRM 10.2.14.3, Protecting Assets.

For some pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers, the volume of the tax information processed and the disruption to these operations might prevent containerization and Clean Desk implementation. We require Clean Desk Waivers for these areas. Submission Processing activity may complete one waiver request for each campus, computing center, or other POD, but we will not grant blanket waivers for any entire facility. Clean Desk Waiver requests must be:

IRS Privacy in Practice includes protecting privacy in systems and safeguarding privacy in everyday business practices. All IRS activities include an element of privacy. A culture of privacy prevails through privacy in practice; from systems development to customer service, training, communications, passwords, and the clean desk policy.

PGLD Privacy Policy and Compliance (PPC) employees serve as privacy advocates and consultants for IRS personnel and projects.

Designing privacy into projects is a key aspect of effective privacy policy and compliance at the IRS.

Invite privacy employees when necessary at all project stages to include privacy at the table for planning and discussion. [OMB A-130]

Refer to Privacy in Practice Quick Reference Guide (Document 13291).

For help or more information, email *Privacy.

Refer to the internal Enterprise Architecture site.

Regardless of the risk, IRS personnel must protect and safeguard SBU data (including PII and tax information). This means you must properly use SBU data throughout the privacy lifecycle.

You are always responsible for the information you share.

The requirements in this subsection mirror the IRS-Wide Privacy Roles and Responsibilities in IRM 10.5.1.4 and stem from TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information.

Be aware of and follow safeguarding requirements for SBU data. Disclosing or accessing SBU data without proper authority could result in administrative or disciplinary action (including termination of contract). The lack of an SBU data marking does not mean the information is not sensitive nor does it relieve you from responsibility to properly safeguard the information from unauthorized use or inadvertent disclosure.

Take steps to prevent the possibility of such disclosure by non-IRS personnel. Deny access to unauthorized non-IRS personnel in areas not used for serving the public.

Follow the IRS clean desk policy in IRM 10.5.1.5.1.

Decide how long to protect the information, for example, either by date or lapse of a determinable event, following the IRM 1.15 series, Records and Information Management.

IRS security officials must provide routine oversight of measures in place to protect SBU data through a program of routine administration and day-to-day management of their information security program.

IRS supervisors and program managers hold responsibility for training personnel to recognize and safeguard SBU data supporting their mission, operations, and assets. Supervisors and managers must also make sure affected personnel keep an adequate level of education and awareness. Education and awareness must begin upon initial personnel assignment and be reinforced annually through mandatory training, staff meetings, or other methods contributing to an informed workforce.

IRS personnel must protect SBU data supporting their mission, operations, and assets. Protection efforts must focus on preventing unauthorized or inadvertent disclosure, especially when visitors enter areas where we process SBU data. This includes being aware of surreptitious and accidental threats posed by high-end communications technologies carried or used by personnel and visitors, such as cell phones (with or without photographic capability), personal data assistants or digital assistants, smart devices, Internet of Things (IoT), portable or pocket computers, cameras, and other video imaging recorders, flash drives, multi-functional, and two-way pagers, and wireless devices capable of storing, processing, or sending information.

IRS program managers and contracting officials must also require proper privacy and security contract requirements language for personnel, facilities, and information protection through the acquisition process of contracts or grants that concern access to SBU data.

The IRS uses its IT-approved encryption as a crucial tool to protect SBU data (including PII and tax information). [OMB A-130, TD P 85-01, Security, SC-08, SC-13, SI-03]

Protect all SBU data (including PII and tax information) with IT-approved encryption methods and access controls, limiting access only to approved personnel with a need to know. This includes SBU data in email, removable media (such as USB drives), on mobile computing devices, and on computers and mobile devices.

For IT policy on email encryption, refer to IRM 10.8.1.4.19.2.1, Electronic Mail (Email) Security (and related interim guidance).

For more details about emailing and encrypting SBU data, review IRM 10.5.1.6.8, Email and Other Electronic Communications.

Different policies apply for emails to taxpayers and representatives, other stakeholders, those with IRS accounts, and personal email. For more information about emailing outside the IRS, review the following subsections:

Refer to the internal Encryption site for encryption instructions.

Refer to specific requirements in these IRMs:

Protect SBU data (including PII and tax information) on a computer (such as a server, desktop, or mobile computing device [such as a laptop, tablet, or smartphone]). Lock the device (such as with a screen saver), secure it physically, and keep it within sight or control.

IRS personnel must use encryption, access controls, and physical security measures proper for the equipment and setting.

Protect equipment. Securely lock computers (such as a server, desktop, or mobile computing device [such as a laptop, tablet, or smartphone]) or other equipment (such as flash drives, CDs, external drives) when left unattended, whether in the office, in the home, or in a hotel room. Use the IRS-provided cables and cable locks to secure laptops when working in regular workspace (worksite), working out of the office, or in travel status. This policy applies even to personnel who live alone. Always secure equipment.

For more information about secured wireless access points (wi-fi hotspots), review IRM 10.5.1.6.12, Telework, and refer to IRM 10.8.1.4.1.17, AC-18 Wireless Access.

IRS personnel must prevent SBU data loss throughout the privacy lifecycle.

If such a loss occurs:

For a brief description of the Incident Management program, review IRM 10.5.1.7.16, Incident Management.

For more information about how to report an incident and data breach, refer to IRM 10.5.4.3, Reporting Losses, Thefts and Disclosures, or the internal Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets and BYOD Assets site.

The Treasury Security Manual [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information] requires distinct labeling of SBU data (including PII and tax information) to highlight its sensitivity. The lack of SBU data markings does not relieve the holder from safeguarding responsibilities.

Identify and mark SBU data at document creation. You don’t have to remove, mark, and restore unmarked SBU data already in records storage. If you remove unmarked SBU items from storage, you must mark them properly before processing or re-filing.

To mark sensitive data, TD P 15-71 requires that you:

Not all markings must say "SBU." Instead of using "SBU," you may choose a more descriptive marking. Review the following table with markings based on the source of the data and the underlying law that protects it. For documents and sites in the M365™ environment (such as in email, Word™, Excel™, and PowerPoint™), consider using sensitivity labels that mirror these markings. FTI is the highest sensitivity, while Uncontrolled – not SBU is the lowest. Change your marking as needed, justifying the change if you lower the sensitivity. For more information, refer to the internal Sensitivity Labels site.

Protective measures start when we apply markings and end when we cancel such markings or destroy records.

Although SBU is Treasury’s standard for identifying sensitive information, some kinds of SBU data might be more sensitive than others and call for more safeguarding measures beyond the minimum requirements shown here. Certain information might be extremely sensitive based on repercussions if the information is released or compromised – potential loss of life or compromise of a law enforcement informant or operation. The IRS and its personnel must use sound judgment coupled with an evaluation of the risks, vulnerabilities, and the potential damage to personnel, property, or equipment for deciding the need for safeguards more than the minimum requirements here. Review IRM 10.5.1.2.11, High Security Items.

Place a Sensitive But Unclassified (SBU) Cover Sheet, Other Gov TDF 15-05.11, on documents with SBU data to prevent unauthorized or inadvertent disclosure when you remove SBU data from an authorized storage location and persons without a need-to-know are present or casual observation would reveal SBU data.

For privacy-related concerns about electronic storage of SBU data (including PII and tax information):

For security-related concerns about electronic storage of SBU data (including PII and tax information), refer to IRM 10.8.1, Security Policy, about limiting access to need-to-know personnel and for encryption requirements.

For physical security methods for protecting and storing physical SBU data (including PII and tax information) items, including high security and special security items, refer to IRM 10.2.14.3, Protecting Assets.

For storage of federal records, refer to the IRM 1.15 series, Records and Information Management.

For managers handling employee performance files (EPFs), refer to:

When talking about SBU data (including PII and tax information) via phone call, IRS personnel must:

This subsection applies to talking on phone calls (including internet-based calls). For texting restrictions, review IRM 10.5.1.6.9.6, Text Messaging (Texting).

For security information on phones, refer to IRM 10.8.1.4.1.18.1, Telecommunication Devices.

IRS personnel must use IRS email accounts or other IRS-approved secure electronic communication methods to conduct IRS official business. (TD P 85-01)

The Protecting Americans from Tax Hikes (PATH) Act of 2015, Section 402, Division Q of the Consolidated Appropriations Act of 2016 reads:

Manage emails used for business communications as IRS records.

IRS personnel hold a legal responsibility to protect all IRS SBU data (including PII and tax information) entrusted to us by taxpayers, fellow personnel, and other individuals. This means communicating SBU data securely only with those authenticated, authorized individuals who have a need to know.

For external electronic communications, IRS personnel should use IRS-approved alternatives to email such as secure messaging or secure portals when available. Review IRM 10.5.1.6.8.6, Other Secure Electronic Communication Methods. Different policies apply for emails to taxpayers and representatives, other stakeholders, those with IRS accounts, and personal email. For more information about emailing outside the IRS, review the following subsections:

When authorized to email SBU data, encrypt SBU data in emails using IRS IT-approved encryption technology. Do not include SBU data (including PII or tax information, such as the name control) in the email subject line. Review IRM 10.5.1.6.2, Encryption.

Examples of IRS IT-approved encryption technology include:

Refer to the internal Encryption site for encryption instructions.

Refer to these IRMs for more policy on email and other electronic communications:

This subsection addresses forms of transmission other than phone and email.

You must provide adequate safeguards for SBU data (including PII and tax information) sent from one location to another.

Destroy documents with SBU data (including PII and tax information), also known as sensitive waste material, by properly shredding, burning, mulching, pulping, or pulverizing beyond recognition and reconstruction. If other sources for these requirements conflict, use the most stringent requirements. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information, and Section 24, Sensitive But Unclassified Information]

Follow specific instructions for different kinds of materials and situations:

Sensitive waste material may include extra copies, photo impressions, microfilm, printouts, computer tape printouts, IDRS printouts, notes, work papers, CDs, USB drives or other removable media, or any other material with SBU data (including PII and tax information) which has served its purpose.

Bring all sensitive waste material for destruction into the office for proper disposition, even when teleworking with access to a shredder at home. It’s not necessary to transport sensitive waste in a locked receptacle, but you must still be careful to protect it during transit.

Do not discard sensitive waste material, including that shredded with non-compliant equipment, in regular trash bins.

Protect sensitive waste as you do any other SBU data (including PII and tax information). Material identified for destruction does not change the requirement to provide proper protective measures. Protect sensitive waste material as required for the most protected item.

Keep waste material in a secured (locked) container in a secured area to prevent SBU data from unauthorized disclosure or access.

Although IRS personnel might know the proper methods of destroying tax data, management must reinforce this knowledge by including document destruction as a topic in orientation sessions, periodic group meetings, and other awareness sessions.

Managers must periodically review work areas to make sure employees discard sensitive waste material properly.

Policy for personally owned GPS device usage and location services (geolocation) on devices balances the business needs of field employees voluntarily using these devices and the privacy and security concerns related to the SBU data that might be in the devices. The purpose of the following is to minimize the risk of exposing SBU data and to prevent unauthorized disclosures. [IRC 6103, Privacy Act]

Special privacy concerns arise in the telework environment. Like all IRS personnel, teleworking personnel have a responsibility to safeguard SBU data (including PII and tax information). Unique potential risks, such as family members accidentally taking case files left out on a desk, or overhearing phone calls with tax information, create the need for more guidelines.

Except for those documents received in a field environment, do not take high security items (review IRM 10.5.1.2.11, High Security Items) to a telework location. [Telework Enhancement Act of 2010; Treasury Telework Program policy, TN-18-001; OMB Guide to Telework in the Federal Government; NIST 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security]

For more information on telework requirements, refer to IRM 6.800.2, IRS Telework Program.

For telework mail procedures, refer to IRM 6.800.2.3.4.7, Mail, and IRM 1.22.5.11, Guidance on Telework Employee Mail.

Be aware of your environment as you conduct business at an approved telework location.

When setting up a home office, you should evaluate the nature of your work and the level of sensitivity around the information you handle on a day-to-day basis, refer to IRM 6.800.2.3.2, Equipment.

Do not use an unsecured wireless access point (wi-fi hotspot) as a regular telework location. For more information about secured wireless access points (wi-fi hotspots), refer to IRM 10.8.1.4.1.17, AC-18 Wireless Access.

Teleworking personnel should follow the following guidelines. For bargaining unit employees, should any of the guidelines conflict with a provision of a negotiated agreement, the agreement will prevail. Individual office practices may supplement this information.

Teleworking personnel should:

Bring Your Own Device (BYOD) is a concept that allows personnel to use their personally‐owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer‐provided services and data on their personal tablets or smartphones.

To protect the privacy of the tax information, BYOD participants must:

Use only IRS-approved applications.

Refrain from using devices in public settings where others might overhear conversations involving SBU data (including PII and tax information) or where others might review screens with this information. Review IRM 10.5.1.6.7.1, Cell Phone and Cordless Device.

Follow the terms in the Personally-Owned Mobile Device Acceptable Use Agreement, including:

The BYOD program protects privacy. All BYOD users must acknowledge: Use of this system constitutes consent to monitoring, interception, recording, reading, copying or capturing by authorized personnel of all activities on the IRS-approved mobile device business software on their mobile devices. Refer to IRM 10.8.1.4.1.7, AC-08 System-Use Notifications.

For your privacy, you may block the outgoing phone number of the personal device per the internal BYOD site.

Refer to IRM 10.8.26, Wireless and Mobile Device Security Policy, and IRM 10.8.27, Personal Use of Government Furnished Information Technology Equipment and Resources.

Privacy and civil liberties often overlap.

Civil liberties are the rights of people to do or say things that are not illegal without the government stopping or interrupting them (due process). For example, the U.S. Constitution’s Bill of Rights (external) guarantees civil liberties.

The Privacy Act provides for privacy and civil liberties protections, outlined in IRM 10.5.1.6.14.1, First Amendment, and detailed in IRM 10.5.6.5, Privacy Act Recordkeeping Restrictions (Civil Liberties Protections).

The Taxpayer Bill of Rights (TBOR) lists rights that already existed in the tax code, putting them in simple language and grouping them into 10 fundamental rights. Employees are responsible for being familiar with and acting in accord with taxpayer rights. Refer to IRC 7803(a)(3), Execution of Duties in Accord with Taxpayer Rights. For more information about the TBOR, refer to the Taxpayer Bill of Rights (external). The TBOR requires the IRS to protect taxpayer rights to privacy (with due process) and confidentiality as essential rights that help protect their civil liberties.

The Privacy Act also allows for due process rights, as it forms the basis for the IRS Privacy Principles.

Many existing privacy policy and compliance requirements, including the IRS Privacy Principles, also protect civil liberties. For example, the principle of Data Quality ensures fair treatment. The principle of Access, Correction, and Redress ensures due process, as do the principles of Openness and Consent, and Verification and Notification.

The IRS further addresses civil liberties protections through the PCLIA. The PCLIA reinforces Privacy Act requirements for the collection of First Amendment activities information and monitoring of individuals (review IRM 10.5.1.6.14.3, Monitoring Individuals). [RA-08]

Refer to IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment (PCLIA), for more information on the PCLIA process.

For more information, refer to IRM 10.5.6.5, Privacy Act Recordkeeping Restrictions (Civil Liberties Protections).

For more information, refer to TD P 25-04 Privacy Act Handbook (pdf)(external), Record Keeping Under the Privacy Act.

The IRS defines personnel to include contractors in IRM 10.5.1.1.2, Audience. Contractors and applicable IRS personnel must follow the requirements in IRM 10.5.1.4.1, Employees and Personnel, and IRM 10.5.1.4.7, Personnel in Contract Activities.

The IRS has statutory and regulatory privacy obligations for contracts. To meet these obligations, the Chief Privacy Officer (CPO) as designee of the Senior Agency Official for Privacy (SAOP), must make sure the IRS [Privacy Act, IRC 6103(n), OMB A-130, NIST, Accountability]:

The IRS CO, COR, and others responsible for contract-related activities must meet the requirements in the subsections outlined in the following table, if they apply to their respective roles:

In this IRM, contract privacy requirements apply to contractors, subcontractors, contractor employees, and subcontractor employees. Contract requirements flow down to subcontracts (which the IRS must approve) under the internal IRS Acquisition Policy (IRSAP) site Index C (pdf).

For more procurement information, refer to the internal Office of the Chief Procurement Officer Customer Portal.

For more privacy information, refer to the internal contracts site.

For help with privacy contract requirements, email *Privacy.

Online data collection may require several kinds of notices, such as:

When building an online form that allows unrestricted input by users, tell the user whether it is secure for personal information.

Do not use persistent cookies or other tracking devices to monitor the public's visits on an IRS internal or publicly accessible website, except as authorized by OMB regulations. [OMB M-03-22]

After following the guidance in this subsection for writing your notice, Privacy Policy must review and approve the final notice. For approval or questions, email *Privacy.

IRS Communications and Liaison is responsible for external communications, and all external communications must come through their office. Refer to IRM 1.1.11.2.2, Social Media Branch.

Except for approved IRS communicators handling official IRS media initiatives, the IRS does not authorize you to use social media in an official capacity. Refer to the internal Social Media Guidelines site and the IRS Rules of Behavior in the internal Business Entitlement Access Request System (BEARS).

For more information about internet research guidelines, refer to IRM 11.3.21.8, Requirements for Investigative Disclosure, and IRM 11.3.21.12.1, IRC 6103(k)(6) Disclosures by IRS Employees using Social Networking and Other Internet Sites.

Personal, non-work usage of these social media tools on personal devices must not compromise the confidentiality of IRS SBU data (including PII or tax information) or the integrity of the IRS. Refer to the internal Social Media Guidelines site.

To use any existing IRS social media tools in communications plans or outreach initiatives, business units must use the proper social media authorization form or contact the proper social media platform owner.

If an IRS organization would like to consider use of a new social media platform, they must send a New Media Use Authorization Form for approval by the IRS Social Media Governance Council, along with a Social Media PCLIA.

For more information on Social Media PCLIAs, refer to IRM 10.5.2.2.5.3, Social Media PCLIA.

This policy does not apply to PII the IRS proactively makes available to all personnel on resource sites (including Discovery Directory, Outlook™ (calendar, profile information, and address book), and SharePoint™ or Teams™ site collections), such as names and business contact information.

Some of the privacy risks associated with collaborative data sites include:

The data on collaborative data sites require privacy protections. These protections must include:

Although IRC 6103(h) (1) allows the disclosure of tax information to IRS personnel for tax administration to the extent the individual obtaining that access has a "need to know," you must avoid the use of tax information in training and fictionalize SBU data where possible. [Minimizing Collection, Use, Retention, and Disclosure; PM-25]

For more information about fictionalizing data, refer to the Document 13324, Guidelines and Examples for Fictionalizing Domestic Taxpayer Information; Document 13311, International Name and Address Construction Job Aid; and IRM 6.410.1.3.10, Disclosure Requirements.

For more information about training material and marking requirements, review IRM 10.5.1.6.5, Marking, and refer to IRM 6.410.1.3.12, Personally Identifiable Information (PII).

Do not allow digital assistants, smart devices, Internet of Things (IoT), and other devices that can record or send sensitive audio or visual information to compromise privacy in the work, telework, field, or travel environment. These devices typically have sensors, microphones, cameras, data storage components, speech recognition, GPS or location options, and other multimedia capabilities. These features could put the privacy of personnel and taxpayers at risk due to the personal information that might be unwittingly disclosed. When working on any form of SBU data (including PII and tax information), follow these rules:

Examples of these devices or applications include:

For more information about location-related concerns, review IRM 10.5.1.6.11.2, Location Services.

The use of biometrics raises privacy concerns due to the inherently sensitive nature of biometric information and public perception that they may be unnecessarily surveilled. You can use biometric technology effectively with proper controls.

Biometric technology is a combination of the use of very sensitive personal information with automated analysis, often performed by artificial intelligence processing. Biometrics include technologies and data such as:

NIST provides definitions of biometrics in several publications, linked from their Glossary (external), including:

Any information technology the IRS uses must meet all IRM 10.5.1.3.2, IRS Privacy Principles, and IRM 10.5.1.8, NIST SP 800-53 Security and Privacy Controls. For biometrics, system owners and authorizing officials must apply the IRS Privacy Principles:

System owners and authorizing officials must document how their use of biometrics meets all IRS Privacy Principles and privacy controls in their system’s PCLIA and security documentation. For more information about the roles and responsibilities, review IRM 10.5.1.4.4, System Owners, and IRM 10.5.1.4.6, Authorizing Officials (AOs). [RA-08]

This policy outlines privacy requirements and recommendations to allow for IRS use of artificial intelligence (AI). It applies to IRS users, developers, and providers of AI to follow the Privacy Act and Internal Revenue Code. It links the IRS Privacy Principles, from IRM 10.5.1.3.2, to key AI concepts.

All IRS personnel must follow the IRS Privacy Principles to manage risks of AI use.

IRS privacy policy is technology neutral, meaning that these principles apply to any technology. This policy is for any design, development, acquisition, or use of AI (hereafter referred to as AI use), whether a web-based online form, COTS product or service, custom built IRS tool, or any other use case. This policy applies to associated technology that may not meet the IRS definition of AI. Examples of AI or associated technology include:

Use of AI may create new privacy risks or exacerbate privacy risks present in other systems. When using AI, you must consider the relationship between AI and privacy risks, such as collecting more data than is necessary, improper disclosure, misuse, and even aspects of incorrect conclusions that may affect privacy and civil liberties. Use privacy enhancing technologies (PETs), where possible, to protect privacy.

Use only IRS-approved AI that follow IRS principles and policies for AI risk management, privacy, and security.

You are responsible for the information you share when using AI, just as you are responsible for the information you share in a conversation or email. This includes considering how the AI might use the information later. Treat AI as another person and follow authentication, authorization, and need to know. Do you know who they are? Are they authorized to review the information? Do they have a need to know? If not, don’t share it.

IRS personnel who manage contracts must make sure that contractors follow this policy. Contractors that use AI must meet all applicable privacy, security, and AI risk management requirements and pass them on to subcontractors.

System owners and authorizing officials must have written documentation concerning how their use of AI meets all IRS Privacy Principles. The required Privacy Threshold Assessment (PTA) and Privacy and Civil Liberties Impact Assessment (PCLIA), as well as other OneSDLC artifacts, address this documentation. For more information on PCLIAs, refer to IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment (PCLIA).[RA-08]

The protections required by IRM 10.5.1.8, NIST 800-53 Security and Privacy Controls, also apply to uses of AI.

Within PGLD’s PPC, PPKM oversees and coordinates the IRS Privacy Council.

The purpose of the IRS Privacy Council is to:

To carry out these objectives, the IRS Privacy Council members will:

The IRS privacy community takes part in the Federal Privacy Council (FPC) to identify federal agency best practices, build and strengthen collaboration with other agencies, and conduct outreach as proper. Review Exhibit 10.5.1-2, References, for the link to the FPC website and resources.

For more information, email *Privacy or refer to the internal IRS Privacy Council site.

The Privacy Review team in PCA, within PGLD’s PPC, supports the IRS in recognizing the importance of protecting the privacy of taxpayers and employees, balancing the need for information collection with the privacy risks. The vehicle for addressing privacy issues in a system is the PCLIA. [E-Government Act, OMB A-130, RA-08]

When the IRS procures, uses, or develops IT to process PII, the IRS must consider the privacy protections with a PCLIA. The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. [E-Government Act, RA-08]

For more information about the PCLIA process, refer to IRM 10.5.2.2 , Privacy and Civil Liberties Impact Assessment (PCLIA), or the internal PCLIA site. For questions, email *Privacy Review.

The Business PII Risk Assessment (BPRA) program in PGLD’s PPC assesses privacy risks in IRS processes. The BPRA addresses the impact of privacy risks in the same way an IT security risk assessment addresses the impact of security risks to the IRS. [OMB A-130]

For more information, refer to IRM 10.5.2.4 , Business PII Risk Assessment (BPRA), and the internal BPRA site.

The Privacy Control Assessment Teams (PCAT) in PCA, within PGLD’s PPC, conduct assessments to determine the extent to which the privacy controls from IRM 10.5.1.8, NIST SP 800-53 Security and Privacy Controls, are implemented correctly, operating as intended, and producing the desired outcome. The PCAT process assigns risks identified during the assessments to the proper functional area for resolution and reporting.

For more information about the PCAT process, refer to the internal Privacy Control Assessment Team site or email *PGLD PCAT.

Privacy reporting comes through several offices within PGLD. [PM-27]

Refer to the internal PGLD - All Internal and External Reports site, IRM 10.5.1.8.10.24, PM-27 Program Management -- Privacy Reporting [P] {Org}, IRM 10.5.6.9, Privacy Act Reports, and IRM 10.5.2.3, Reporting.

Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), manages the UNAX program to implement the requirements of the Taxpayer Browsing Protection Act.

The UNAX program provides awareness to make sure you do not compromise public confidence in our protection of tax account information.

For more information, refer to IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

Refer to the internal UNAX site.

Mandatory briefings deliver required IRS-wide training, including the Privacy Information Protection and Disclosure, Records Management, CUI, and UNAX briefings managed by the PGLD offices of PPKM, IRP, and IPP, respectively. [AT-03]

For more information about mandatory briefings, refer to the internal Mandatory Briefings site.

Records and Information Management (RIM) Office within PGLD’s IRP supports the IRS mission and programs by promoting current information, guidance, and awareness of the importance of managing records throughout the IRS. The RIM program addresses the requirements for recordkeeping, protection, review, storage, and disposal.

The public expects that IRS records are available where and when they are needed, to whom they are needed, for only as long as they are needed, to conduct business, adequately document IRS activities, and protect the interests of the federal government and taxpayers. The Federal Records Act requires the IRS to efficiently manage all IRS records until final disposition.

For more information about records, refer to the IRM 1.15 series, Records and Information Management, or the records management pages on the internal PGLD Disclosure and Privacy Knowledge Base.

Disclosure, within PGLD’s Governmental Liaison, Disclosure and Safeguards (GLDS), manages FOIA and IRC 6103 policy to make sure the right information is released to the right individuals at the right time. They deliver timely public access to IRS records under disclosure laws. They make sure IRS employees understand disclosure rules and know how to protect federal tax information, taxpayer confidentiality, and privacy.

Under IRC 6103, tax returns and return information are confidential information that we must not disclose except as allowed by the IRC.

The IRM 11.3 series, Disclosure of Official Information, has policy on whether we may disclose tax returns and other information contained in IRS files. Make no disclosure unless IRC 6103 authorizes disclosure and not before meeting requirements in IRC 6103 and the IRM 11.3 series.

For more information, refer to the disclosure pages on the internal PGLD Disclosure and Privacy Knowledge Base.

For external FOIA requests, refer to FOIA (external).

Digital Identity Risk Assessment (DIRA) is a joint effort between IT Cybersecurity and Online Services to form a framework for establishing authentication risk consistently across online web-based electronic transactions. The DIRA process applies to online web-based transactions. [NIST SP 800-63]

To ensure privacy and security, agencies must authenticate users of their web-based or online transactions before allowing access to information entrusted to them. The DIRA process evaluates the risk of a transaction to decide the applicable assurance level on three parts, referred to as Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL).

For more information, refer to the internal Digital Identity Risk Assessment (DIRA) site. For information about risk assessments of online services, contact *IT Cyber CPO DIRA.

The IRS IT OneSDLC process is how the IRS manages project activities.

For more information about OneSDLC, refer to IRM 2.31.1, One Solution Delivery Life Cycle Guidance, or the OneSDLC site.

Governmental Liaison (GL) facilitates, develops, and maintains relationships with federal, state, and local governmental agencies and IRS operating and functional divisions on strategic IRS programs. Contact GL before contacting any governmental agency about initiatives or data exchanges.

GL maintains the IRS Agreement Database (IAD), which includes formal agreements that GL established with U.S. federal, state and local governmental agencies and IRS business units to exchange data, and tax and non-tax information that require PGLD oversight for privacy, disclosure, and safeguarding. Internet service agreements, LB&I treaty and Foreign Account Tax Compliance Act agreements, agreements with 6103(k)(6) disclosures and IRC 6103(c) consent-based disclosures with non-government agencies are excluded.

For more information about GL, refer to IRM 11.4.1, Governmental Liaison Operations.

For more information about GL’s programs, refer to the internal GL site.

Data Services provides support to GL and Disclosure programs through a variety of information technology initiatives, including:

For more information about Data Services, refer to IRM 11.4.2, Data Exchange Program, and IRM 11.3.39, Computer Matching and Privacy Protection Act.

Identity Assurance (IA) provides oversight and strategic direction for authentication, authorization, and access processes of taxpayer information. IA also delivers externally facing IRS services across all channels while protecting taxpayer data from fraudsters and identity thieves.

For more information about IA, refer to the IRM 10.10 series, Identity Assurance, and the identity assurance pages on the internal PGLD Disclosure and Privacy Knowledge Base.

IT Security Policy, within Cybersecurity, supports IT security policy and implementation.

IT security and privacy issues go together. IT security policy describes how to protect IT environments, while privacy policy describes how to protect individuals’ information in those IT environments. IT focuses on protecting the systems, the network, and the applications that house the data. Privacy focuses on protecting the individual represented by the data.

For more information about IT security policy and references, refer to the IRM 10.8 series, Information Technology (IT) Security.

For more information about the Cybersecurity program, refer to the internal Cybersecurity site.

Within PGLD’s PPC, the IM program is dedicated to helping taxpayers and personnel potentially affected by IRS data breaches by working quickly and thoroughly to investigate data breaches to decrease the possibility that information will be compromised and used to perpetrate identity theft or other forms of harm.

The IM program manages reports of IRS losses, thefts, and inadvertent unauthorized disclosure of SBU data (including PII and tax information).

Immediately upon discovery of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document that includes sensitive information, personnel must report an incident and data breach to the manager and the proper organizations based on what was lost or disclosed.

Anyone discovering a data breach must report the data breach to the proper organizations.

For more information about how to report an incident and data breach, refer to IRM 10.5.4.3, Reporting Losses, Thefts and Disclosures, or the internal Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets and BYOD Assets site.

The IM Employee Protection group, within PGLD’s PPC IM, manages the IRS pseudonym program.

Under certain conditions (including protection of personal safety, adequate justification, and pre-approval), this program allows for the use of pseudonyms by IRS employees. The Employee Protection group helps employees protect the privacy of these pseudonyms.

Refer to IRM 10.5.7, Use of Pseudonyms by IRS Employees.

The Safeguards program makes sure that federal, state, and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands, using Pub 1075, Tax Information Security Guidelines for Federal, State and Local Agencies.

For more information about Safeguards, refer to IRM 11.3.36 , Safeguard Review Program, and the internal Safeguards site.

Information Protection Projects (IPP), under PGLD’s IRP, manages the Social Security Number Elimination and Reduction (SSN ER) program.

This program’s goal is to implement regulatory requirements to eliminate or reduce the collection and use of SSNs in programs, processes, and forms. [Pub.L. 115-59, OMB A-130, PT-07(01)]

For more information, refer to the internal SSN ER site or email *PGLD SSN Reduction.

Within PGLD’s PPC, PCA manages the SBU Data Use process for non-production environments.

The SBU Data Use for non-production environments process helps information owners (IOs) and authorizing officials (AOs) know when we are using SBU data (including PII or tax information) in other non-production environments, when proper. This process helps IOs and AOs, tasked with accepting risk for the IRS, to know and understand the movement of the SBU data outside the production environment and to ensure its protection.

Refer to IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments, and the internal SBU Data Use Process site.

The Office of Taxpayer Correspondence in Media and Publishing manages the Quick Response (QR) codes for the IRS to provide taxpayers with targeted, prompt guidance and outreach.

Using IRS-created QR codes allows the IRS to minimize data collection (to collect only necessary data), to protect privacy and civil rights, to reduce costs, and to make sure that the experience instills trust and consistency.

Refer to IRM 1.17.7.4.8, QR Response (QR) Codes.

This is a joint security and privacy control requiring that the IRS have policy and procedures about access control. For the full text of the control, refer to IRM 10.8.1.4.1, AC-01 Access Control Policy and Procedures.

Implementation guidance: The IRS implements this control with policy throughout this and all organizational IRMs that address this control family’s concerns and require personnel to:

In this IRM, follow the policies on the access control policy and procedures control, including:

Follow the other PGLD and IRS policies that supplement the access control policy and procedures control, including: