4.17.3 Requirements4.17.3.1 Overview4.17.3.2 Approval4.17.3.3 Research of Existing Data, Similar Projects4.17.3.4 Control, Use, and Disposition of External Data4.17.3.5 Annual Reviews4.17.3.6 Quality Review by Disclosure Manager4.17.3.7 Privacy and Disclosure4.17.3.8 Security Part 4. Examining ProcessChapter 17. Compliance Initiative ProjectsSection 3. Requirements 4.17.3 Requirements Manual Transmittal May 15, 2017 Purpose (1) This transmits revised IRM 4.17.3, Compliance Initiative Projects, Requirements. Material Changes (1) This section has been updated with the following significant changes: IRM 4.17.3.3 –Added National CIP Database as a source to check for existing projects. IRM 4.17.3.4 –Clarified CIP coordinator is responsible for managing data. Updated references for data control guidance. IRM 4.17.3.5 –Added TE/GE. IRM 4.17.3.6 – Added TE/GE. IRM 4.17.3.8 –Updated references for security and record control guidance. Effect on Other DocumentsIRM 4.17.2 dated February 25, 2010 is superseded. AudienceCompliance employees within all Operating Divisions. Effective Date(05-15-2017) Deborah NgoActing Director, Exam Case SelectionSmall Business/Self-Employed Division 4.17.3.1 (02-25-2010) Overview This section describes the requirements for: Approval of CIPs Research of existing data or similar projects Control, use and disposition of external data Operational and Disclosure reviews Privacy, security and disclosure 4.17.3.2 (02-25-2010) Approval The appropriate Manager/Director must approve all CIPs and extensions. See IRM 4.17.4, Procedures, for complete approval process procedures. CIPs must be approved before compliance contacts are made, that is, before taxpayers are contacted by any means as part of a compliance initiative including, but not limited to, taxpayer education, research, examination, or collection activity. 4.17.3.3 (05-15-2017) Research of Existing Data, Similar Projects Valuable information may be obtained from existing data or similar projects. Research should be conducted to determine whether such data or projects exist. If a similar project is identified, the CIP coordinator should consider its methodology and results, if available, to determine how or if appropriate to proceed with the proposed project and document these in the Background and Objectives section of the authorization request. Some sources of information on other projects include: IRS Websites Counterparts in other areas, functions, or units Fed/State partners National Headquarters Office of Research, Electronic Library The National CIP Database or other internal databases Preliminary research, that is non-taxpayer specific research, to determine whether there is potential compliance risk does not require an authorized CIP. 4.17.3.4 (05-15-2017) Control, Use, and Disposition of External Data The CIP coordinator will control all external taxpayer specific data exclusively related to cases that are part of a CIP being worked by an examination or collection function. For further information on retention of taxpayer data or information, refer to Document 12990, Records and Information Management Records Control Schedule - Item 72 or Schedule 24. Data can only be used for approved purposes. If new uses are developed for data already acquired, a separate authorization must be obtained prior to beginning the new use. Approval, if appropriate, must also be obtained from the source who provided the data. 4.17.3.5 (05-15-2017) Annual Reviews The SB/SE PSP Territory Manager; Field Case Selection Program Manager; LB&I Compliance Planning & Analytics (CP&A) function for LB& I; W&I Director Refundable Credits Policy & Program Management; respective TE/GE Compliance Program Manager; or equivalent, will conduct an annual CIP operational review. Other compliance employees may be asked to assist. The objectives of the reviews are to evaluate: Proper authorization and adherence to CIP procedures. Compliance with Service policy and guidelines. Accomplishment of results appropriate to the resources expended. Adherence to privacy, security, and disclosure requirements. Merits of continuing ongoing CIPs. Note: Items to consider include availability of resources, performance measurements and impact on compliance . Timely submission of termination reports. Proper authorization for modifications to a project’s scope or estimated completion date. Use of alternative treatments, and their results. Reminder: The Field Case Selection Program Manager's review must ensure the National CIP Database is current, accurate, and the content is appropriate for effective monitoring of expiration and termination dates of CIPs. Any issues identified or actions taken as a result of the review should be documented by the Program Manager (or equivalent) and a copy of the results of the review should be shared with the appropriate Headquarter Director responsible for workload selection and delivery. 4.17.3.6 (05-15-2017) Quality Review by Disclosure Manager The disclosure manager may, as part of the normal quality review of functions, evaluate the controls on third party return information used for CIPs and provide a written report to the PSP Territory Manager/ Program Manager, Field Case Selection, LB&I CP&A, respective TE/GE Compliance Program Manager, or equivalent. Disclosure managers will, at a minimum, address the following questions during quality reviews: Was third party return information obtained which required the disclosure of internal data to obtain? Was required headquarters approval obtained through the submission of a CIP authorization request as contained in this document? Is the information being appropriately safeguarded? Has the function complied with the terms of the approved CIP request concerning the intended use of the information and its timely final disposition? 4.17.3.7 (02-25-2010) Privacy and Disclosure The Privacy Act of 1974 provides the legal basis for limiting the actions of federal agencies in order to protect the privacy of individuals. IRC 6103, Confidentiality and Disclosure of Return Information, provides for the protection as well as release of returns or return information. Only the minimum data required to accomplish a task should be gathered. The data must be appropriate, relevant, and necessary for the project. It must be protected against unauthorized disclosure and disposed of appropriately after it is has been used for its intended purpose. IRM 11.3, Disclosure of Official Information contains additional information. 4.17.3.8 (05-15-2017) Security Physical controls required by IRM 10.2, Physical Security Program, must be used to protect taxpayer information. Additional information may be found in IRM 1.15, Records and Information Management. All computer systems containing taxpayer information must adhere to the Computer Security Act of 1987 and to the requirements of IRM 10.8, Information Technology Security.