Taxpayer Confidentiality: Federal, State, and Local Agencies Receiving
Taxpayer Information (Letter Report, 08/30/1999, GAO/GGD-99-164).

Federal, state, and local agencies are authorized to receive from the
Internal Revenue Service (IRS) information on taxpayers that they need
to assist in their administration and enforcement of laws. These
agencies are required to protect the confidentiality of the information
they receive and to implement safeguards to prevent unauthorized access,
disclosure, and use. This report discusses (1) which federal, state, and
local agencies receive taxpayer information from IRS; (2) the type of
information they receive; (3) how that information is being used; (4)
what policies and procedures the agencies are required to follow to
safeguard that information; (5) how often IRS is to monitor agencies'
adherence to the safeguarding requirements; and (6) the results of IRS'
most recent monitoring efforts.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  GGD-99-164
     TITLE:  Taxpayer Confidentiality: Federal, State, and Local
	     Agencies Receiving Taxpayer Information
      DATE:  08/30/1999
   SUBJECT:  Confidential communication
	     Internal controls
	     Information leaking
	     Tax information confidentiality
	     Interagency relations
	     Reporting requirements

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************

    United States General Accounting Office GAO               Report
    to the Joint Committee on Taxation, U.S. Congress August 1999
    TAXPAYER CONFIDENTIALITY Federal, State, and Local Agencies
    Receiving Taxpayer Information GAO-GGD-99-164 United States
    General Accounting Office Washington, D.C.  20548
    General Government Division B-282749 August 30, 1999 The Honorable
    Bill Archer Chairman The Honorable William V. Roth, Jr. Vice
    Chairman Joint Committee on Taxation The concerns of citizens and
    Congress regarding individual rights to privacy have made it
    important to assess the disclosure practices and safeguards
    employed by the Internal Revenue Service (IRS) and other federal,
    state, and local agencies to protect taxpayer information.
    Federal, state, and local agencies are authorized under Internal
    Revenue Code (IRC) section 6103 to receive from IRS the taxpayer
    information they need to assist in their administration and
    enforcement of laws. These agencies are required to protect the
    confidentiality of the information they receive and implement
    safeguards that are designed to prevent unauthorized access,
    disclosure, and use. Section 3802 of the IRS Restructuring and
    Reform Act of 1998 requires that both the Joint Committee on
    Taxation and the Secretary of the Treasury conduct a study of the
    scope and use of section 6103 provisions regarding taxpayer
    confidentiality. To assist in this effort, you requested that we
    provide you with information about *  which federal, state, and
    local agencies receive taxpayer information from IRS (see apps. I
    and II); *  what type of information they receive (see apps. III
    and IV); *  how the taxpayer information is being used (see app.
    V); *  what policies and procedures the agencies are required to
    follow to safeguard taxpayer information (see app. VI); *  how
    frequently IRS is to monitor agencies' adherence to the
    safeguarding requirements; and *  the results of IRS' most recent
    monitoring efforts (see app. VII). According to IRS, there were 37
    federal and 215 state and local agencies Results in Brief
    that received, or maintained records containing, taxpayer
    information under provisions of section 6103 during 1997 or 1998.
    The information that the agencies received included, among other
    things, the taxpayers' names, Social Security numbers, addresses,
    and wages. The information came in a variety of formats (i.e.,
    paper copy, electronic databases, and tape Page 1
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749
    extracts). Some agencies received the information on a regular
    schedule (i.e., monthly, quarterly, or annually). Others received
    the information on an as-needed basis, such as while conducting
    criminal investigations. Federal, state, and local agencies said
    they used taxpayer information for one of several purposes, such
    as administering state tax programs, assisting in the enforcement
    of child support programs, verifying eligibility and benefits for
    welfare and public assistance programs, and conducting criminal
    investigations. Before receiving taxpayer information from IRS,
    agencies are required to advise IRS how they intend to use the
    information and to provide IRS with a detailed safeguard plan that
    describes the procedures established and used by the agency for
    ensuring the confidentiality of the information they want to
    receive. These safeguard plans are supposed to be updated every 6
    years or if significant changes are made to the agencies'
    procedures. IRS Publication 1075, Tax Information Security
    Guidelines for Federal, State, and Local Agencies,1 outlines what
    must be included in an agency's safeguard plan. Agencies are also
    required to submit annual reports to IRS summarizing their efforts
    to safeguard taxpayer information and any minor changes to their
    safeguarding procedures. In addition to providing IRS with
    safeguard plans and annual reports, agencies' Offices of Inspector
    General (OIG) may also review internal agency programs for
    safeguarding restricted or classified information. For example, in
    March 1999, the Department of Veterans Affairs' (VA) OIG issued a
    report on its review of the Evaluation of VHA's Income
    Verification Match Program (Report No. 9R1-G01-054, Mar. 15,
    1999).This report outlined possible inappropriate requests for and
    subsequent use of taxpayer information by VA's Health Eligibility
    Center. IRS conducts on-site reviews to ensure that agencies'
    safeguard procedures fulfill IRS requirements for protecting
    taxpayer information. IRS' National Office of Governmental Liaison
    and Disclosure, Office of Safeguards, has overall responsibility
    for safeguard reviews to assess whether taxpayer information is
    properly protected from unauthorized use or access as required by
    the IRC and to assist in reporting to Congress. Safeguard reviews
    are to be conducted every 3 years. IRS' safeguard reviews have
    identified discrepancies in agency safeguard procedures and made
    recommendations for corrections. The reviews have 1Publication
    1075 has been revised periodically, most recently in March 1999.
    Page 2
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749
    uncovered problems with agency safeguarding procedures, ranging
    from inappropriate access to taxpayer information by contractor
    staff to administrative matters, such as the failure to properly
    document the disposal of information. IRS began exchanging federal
    taxpayer data with state tax administration Background
    agencies in the 1920s, but it was not until the Tax Reform Act of
    1976 that Congress declared federal tax returns and return
    information to be confidential. The Tax Reform Act specified IRS'
    responsibilities for safeguarding taxpayer information against
    unauthorized disclosure while authorizing IRS to share this
    information with state agencies for tax administration purposes.
    Congress also authorized the sharing of taxpayer information with
    child support programs to assist with enforcement, such as
    locating individuals owing child support. In 1984, Congress
    authorized IRS to share data to support federal and state
    administration of other programs, such as Aid to Families With
    Dependent Children2 and Medicaid, to assist in verifying
    eligibility and benefits. Disclosures of federal taxpayer
    information to an agency are restricted to the agency's justified
    need for and use of such information. Unauthorized inspection,
    disclosure, or use of taxpayer information is subject to civil and
    criminal penalties. The objective of this study was to provide the
    Committee with information Objective, Scope, and    on how
    federal, state, and local agencies use the taxpayer information
    they Methodology              are authorized to obtain under
    section 6103.3 To meet our objective, we met with officials in
    IRS' Office of Governmental Liaison and Disclosure, Office of
    Safeguards, and select IRS District Disclosure Offices. We also
    reviewed IRS documentation of reports submitted by federal, state,
    and local agencies on the safeguard procedures used to protect
    taxpayer information. In addition, we reviewed IRS reports of its
    monitoring efforts at these agencies. IRS provided us with lists
    of federal, state, and local agencies that had received taxpayer
    information during 1997 or 1998. We surveyed the agencies, asking
    them under what authority they received taxpayer information, how
    they received it, what they used the information for, and 2The Aid
    to Families With Dependent Children program has been replaced by
    the Temporary Assistance for Needy Families program. 3Our study
    did not address disclosure of taxpayer information to agencies
    pursuant to taxpayer consents under section 6103(c), which are not
    subject to the safeguard requirements of section 6103(p)(4). Page
    3                                                            GAO-
    GGD-99-164 Safeguarding Taxpayer Information B-282749 whether
    there were alternate sources of data they could use in lieu of
    taxpayer information. We also asked them about IRS' monitoring
    efforts and to identify any safeguard deficiencies that have been
    noted during recent internal or external reviews. Copies of our
    questionnaires are reproduced in appendix IX. We surveyed all of
    the federal agencies in the Washington, D.C., metropolitan area
    that IRS identified as having received taxpayer information. The
    response rate was 100 percent from these agencies. In some cases,
    we sent a questionnaire to more than one contact for a particular
    agency. For example, for the Department of Labor, IRS identified
    four separate components as receiving taxpayer information. Thus,
    IRS gave us the names of four separate contact persons at Labor.
    We mailed our questionnaire to 50 agency contact persons. In our
    cover letter, we encouraged them to distribute copies of the
    questionnaire to all other entities within the agency that
    received taxpayer information from IRS and asked that an
    appropriate representative from those units return a completed
    questionnaire. Several agencies that had only one contact person
    listed by IRS returned multiple questionnaires from different
    units within their agencies that use taxpayer information. For
    example, the Department of Transportation had only one contact
    person to whom we mailed our questionnaire, but staff in the
    Department completed and returned 10 questionnaires. In total, we
    received 98 questionnaires from the 50 agency contacts from whom
    we requested information. From the list IRS provided of 215 state
    and local entities that had received taxpayer information, we drew
    a simple random probability sample of 35 entities. Each entity on
    the IRS list had an equal, nonzero probability of being included
    in the sample. Our sample, then, is only one of a large number of
    samples that we might have drawn because we followed a probability
    procedure based on random selection. Each sample could have
    provided different estimates; thus, we can express our confidence
    in the precision of our particular sample's results as a 95-
    percent confidence interval. This is the interval that would
    contain the actual population value for 95 percent of the samples
    we could have drawn. As a result, we are 95- percent confident
    that each of the confidence intervals in this report will include
    the true values in the study population. We mailed questionnaires
    to the contact persons at each of the selected entities. Like the
    federal agencies, some of the state and local agencies completed
    more than one questionnaire. Thirty-four of the 35 state and Page
    4                          GAO-GGD-99-164 Safeguarding Taxpayer
    Information B-282749 local agencies we surveyed returned at least
    one questionnaire, for a response rate of 97 percent.4 Given the
    broad scope of our study and the required time frame for
    completion, our audit work focused on collecting and presenting
    the data from the agencies and IRS. As agreed with your office, we
    did not verify the information that we collected. We also did not
    evaluate the efforts of IRS or the federal, state, and local
    agencies to safeguard taxpayer information. We performed our work
    at IRS' National Office of Safeguards and select IRS District
    Disclosure Offices. Our work was done between March and August
    1999 in accordance with generally accepted government auditing
    standards. We requested comments on a draft of this report from
    the Commissioner of Internal Revenue. IRS provided written
    comments in an August 16, 1999, letter, which is reprinted in
    appendix X. The comments are discussed near the end of this
    letter. According to IRS, there were 37 federal and 215 state and
    local agencies Which Federal, State,    that received, or
    maintained records containing, taxpayer information and Local
    Agencies       under provisions of IRC section 6103 during 1997 or
    1998. We surveyed all of the 34 federal agencies in the
    Washington, D.C., metropolitan area that Receive Taxpayer
    IRS identified as having received taxpayer information. In
    responding to Information?             our questionnaire, 3 of the
    34 federal agencies-Agency for International Development,
    Department of Energy, and Environmental Protection Agency-
    indicated that they did not receive any taxpayer information
    during 1997 or 1998. In addition, two agencies-Equal Employment
    Opportunity Commission and Securities and Exchange Commission-
    indicated that they did not receive any taxpayer information
    during 1998. Among these 34 federal agencies, however, there were
    several that had more than one department or unit that utilized
    the taxpayer information received. From the list IRS provided of
    215 state and local entities that were receiving taxpayer
    information, we drew a simple random probability sample of 35
    entities. Only one of our sampled state and local entities-
    Alabama Department of Human Resources-indicated that it did not
    4The one outstanding agency, Maryland Department of Human
    Resources, Child Enforcement Agency, returned a questionnaire as
    we were processing this report. Because of the timing of when the
    questionnaire was returned, we were unable to include this
    response in our summary of information of state and local
    agencies. Page 5
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 receive
    any taxpayer information in 1997, and all of them indicated that
    they had received taxpayer information in 1998.5 According to IRS
    officials, they generally categorize the agencies into one of the
    following: *  Child support agenciesIRS discloses certain tax
    return information to federal, state, and local child support
    enforcement agencies. *  Welfare/public assistance agenciesIRS
    discloses certain tax return information to federal, state, and
    local agencies administering welfare/public assistance programs,
    such as food stamps and housing. *  State tax administration/law
    enforcement agenciesIRS discloses certain tax return information
    to federal, state, and local agencies for tax administration and
    the enforcement of state tax laws. *  Federal agenciesIRS
    discloses certain tax return information to federal agencies for
    certain other purposes. The type of taxpayer information agencies
    receive varies in content, What Type of Taxpayer format, and
    frequency according to how agencies use the information.
    Information Do                  Agencies may receive paper copies
    of individual tax returns, electronic databases of IRS' individual
    and business master files, or tape extracts Agencies Receive?
    from these files. The information can include such things as the
    taxpayers' names, Social Security numbers, addresses, or wages.
    Table 1 shows examples of the different types of taxpayer
    information agencies receive. As shown in table 1, agencies
    receive taxpayer information in a variety of formats-for example,
    paper copy, electronic databases, and tape extracts. Some agencies
    receive this information on a regular schedule-for example,
    monthly, quarterly, or annually. Other agencies receive it on an
    as-needed basis-for example, while conducting criminal
    investigations. 5On the basis of the questionnaire responses, we
    estimate that between 0 and 9 percent of all state and local
    entities on IRS' list did not receive taxpayer information in
    1998, and between 0 and 14 percent did not receive taxpayer
    information in 1997. Page 6
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 Table 1:
    Examples of Types of Taxpayer     Taxpayer information
    Format        Frequency Information Received by Federal, State,
    Individual and corporate income tax, estate tax, partnership,
    Paper copy Upon request and Local Agencies
    fiduciary, excise tax, and exempt organization audit reports Payer
    and payee information from W-2s, K-1s, Form 1099s,
    Paper copy Upon request and Form 5498 Taxpayers' mailing addresses
    Paper copy Upon request Information returns master file (SSN,
    name, address)                    Tape          Annual Individual
    master file extract (SSN, name, address, marital             Tape
    Annual status, exemptions, dependents, income, and return type)
    Corporate income tax return information (name, address, EIN, Tape
    Annual net income or loss, assets, and gross receipts) Employment
    tax returns records (EIN, total compensation paid, Tape
    Weekly taxable period, number of employees, total taxable wages
    paid, and tip income) Statistics of income corporate sample
    (credits, balance sheet, Tape                   Annual and income
    statement) W-2s and W-3s (wage data submitted by employers)
    Electronic, Upon request paper copy Unearned income from various
    Form 1099s                                 Tape          Monthly
    Wages, self-employment earnings, and retirement income
    Tape,         Annual, electronic monthly SSN, filing and marital
    status, taxpayer name, address,                 Tape,         Upon
    request employee EINs
    electronic Legend EIN Employee identification number Form 1099s
    Interest, dividend, and miscellaneous income statements Form 5498
    Individual Retirement Arrangement Information K-1s Beneficiary's,
    partnership's, and shareholder's share of income, deductions,
    credits, etc. SSN Social Security number W-2s and W-3s Wage and
    tax statements Source: IRS Office of Safeguards. We asked the
    agencies we surveyed to indicate how they received taxpayer
    information from IRS during 1997 or 1998 and how often they
    received that information. Tables 2 and 3 show the survey results.
    Page 7                                     GAO-GGD-99-164
    Safeguarding Taxpayer Information B-282749 Table 2: Formats in
    Which Agencies
    Agencies Received Taxpayer Information From        Format
    Federal      State and localb IRS in 1997 or 1998
    Paper copy
    56%                        44% Electronic databases
    50                         15 Tape extracts
    44                         88 Othera
    28                         18 Note: Percentages may add to more
    than 100 percent because agencies can receive the information in
    different formats for different purposes. aSome agencies indicated
    that they received the information on a diskette or via direct-
    connect. bThe percentages shown reflect the raw percentages
    obtained in the sample. The population percentages associated with
    the 95-percent confidence interval are: paper (30%-59%), database
    (6%-28%), tape extracts (75%-96%), other (8%-32%). Source: GAO
    analysis of responses from agencies surveyed. Table 3: Frequencies
    With Which
    Agencies Agencies Received Taxpayer                Frequency
    Federal      State and localb Information From IRS in 1997 or 1998
    Yearly
    34%                        18% Quarterly
    19                         15 Monthly
    19                         53 Weekly
    47                         18 Othera
    47                         29 Note: Percentages may add to more
    than 100 percent because agencies can receive the information at
    different intervals for different purposes. aSome agencies
    indicated that they received the information upon request or on an
    as-needed basis. bThe percentages shown reflect the raw
    percentages obtained in the sample. The population percentages
    associated with the 95-percent confidence interval are: yearly
    (8%-32%), quarterly (6%- 28%), monthly (39%-67%), weekly (8%-32%),
    other (17%-44%). Source: GAO analysis of responses from agencies
    surveyed. Appendixes III and IV further describe the types of
    taxpayer information received by federal and state and local
    agencies, respectively; the format in which the information was
    received; and the frequency with which it was received,
    categorized by purposes for which the information might be used.
    In addition to the taxpayer information received from IRS, many
    agencies use other sources of information to fulfill their
    missions. We asked the agencies to indicate, in lieu of taxpayer
    information, what other sources of data are available that would
    allow them to accomplish their missions. As shown in table 4, the
    responses from the federal, state, and local agencies we surveyed
    generally fell into one of following categories: *  There was no
    other source of data available to them. *  They used other
    sources, but these other sources were less reliable than tax
    information. Page 8
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 *  They
    used other sources, but these other sources were more costly to
    use than tax information. *  They used other sources in
    conjunction with the tax information. *  They did not respond to
    this question. Table 4:  Other Sources of Data
    Agencies Agencies Used in Lieu of Taxpayer      Other sources
    Federal              State and locala Information
    No other sources available
    47%                                 71% Other sources less
    reliable
    28                                    3 Other sources more costly
    16                                    0 Used other sources as well
    as tax data
    34                                  44 Did not respond
    19                                    3 Note: Percentages may add
    to more than 100 because more than one response was possible for
    an agency due to multiple responses from different components
    within an agency. aThe percentages shown reflect the raw
    percentages obtained in the sample. The population percentages
    associated with the 95-percent confidence interval are: no other
    sources available (56%- 83%), other sources less reliable (0%-
    14%), other sources more costly (0%-9%), and used other sources as
    well as tax data (30%-59%). Source: GAO analysis of responses from
    agencies surveyed. Under various IRC section 6103 subsections,
    agencies may receive How Is the Taxpayer
    taxpayer information for one of several reasons, such as to
    administer Information Being                      state tax
    programs, assist in the enforcement of child support programs, or
    verify eligibility and benefits for various welfare and public
    assistance Used?                                  programs (e.g.,
    food stamps or public housing).6 Agencies may also receive
    taxpayer data for use during a criminal investigation, to apprise
    appropriate officials of criminal activities or emergency
    circumstances, or to assist in locating fugitives from justice.
    One of the most common reasons why agencies said they received
    taxpayer information was their participation in the tax refund
    offset program.  Pursuant to the IRC, agencies submitted
    qualifying debts, such as student loans or child support payments,
    for collection by offsetting the debt against the taxpayer's
    refund.  Seventy-five percent of the federal agencies and 15
    percent of the state and local agencies in our sample indicated
    that they received taxpayer information for this purpose.
    Effective January 1, 1999, tax refund offset procedures for
    collecting qualifying debts were modified. The Department of the
    Treasury's Financial Management Service was given the
    responsibility for the Federal Refund Offset Program, which was
    merged into the centralized administrative offset program known as
    the Treasury Offset Program. This 6See appendix II for a
    description of the various IRC 6103 subsections. Page 9
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 program
    commingles tax refund information with other federal financial
    information (e.g., benefit payments, pensions). If a match is
    found when an individual has an outstanding debt and is receiving
    federal money in any form (e.g., tax refund, pension, or vendor
    payments), the individual is notified that his federal money can
    be withheld to pay off the debt. The source or sources of any
    money withheld is not revealed to the agencies, but simply the
    fact that an offset has been made. This information, then, is no
    longer identifiable as tax refund information; thus, it is no
    longer considered taxpayer information.7 Because of this change to
    the offset program, several agencies we surveyed indicated that
    they no longer needed taxpayer information. Thirty-four percent of
    the federal and 3 percent of the state and local agencies in our
    sample indicated that they are participating in the Treasury
    Offset Program and that they will no longer need to receive
    taxpayer information from IRS. We asked the agencies we surveyed
    to indicate how they use taxpayer information. We grouped their
    responses into the following categories: *  administering debt
    collection or offset program; *  administering tax laws; *
    determining eligibility for welfare and public assistance
    programs; *  enforcing child support programs; *  conducting
    criminal investigations; and *  other purposes, such as
    statistical and economic research, auditing government programs,
    or storage of tax returns. Table 5 shows how the agencies we
    surveyed responded to our query about how they used the taxpayer
    information they received in 1997 or 1998. (App. V provides a
    listing of possible uses of taxpayer information received from
    IRS.) 7To the extent that agencies collect past-due child support
    payments from tax refund offsets under the Treasury Offset
    Program, such agencies continue to receive specified taxpayer
    information as authorized by IRC section 6103 (l)(10). Page 10
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 Table 5:
    How Taxpayer Information Was
    Agencies Used by Federal, State, and Local           Category
    Federal              State and locala Agencies in 1997 or 1998
    Debt collection/offset program
    75%                                 15% Administering tax laws
    0                                41 Determining eligibility for
    welfare/public assistance programs
    16                                  32 Enforcement of child
    support programs
    6                                29 During criminal investigations
    28                                    3 Other purposes
    28                                    0 Note: Percentages may add
    to more than 100 percent because agencies can use taxpayer
    information for multiple purposes. aThe percentages shown reflect
    the raw percentages obtained in the sample. The population
    percentages associated with the 95-percent confidence interval
    are: Treasury offsets (6%-28%), administration of tax laws (28%-
    56%), welfare/public assistance programs (20%-47%), child support
    enforcement (17%-44%), investigations (0%-14%), and other (0%-9%).
    Source: GAO analysis of responses from agencies surveyed. Before
    receiving taxpayer information from IRS, agencies are required to
    What Policies and                           provide IRS with a
    detailed Safeguard Procedures Report (SPR) that Procedures Are
    describes the procedures established and used by the agency for
    ensuring the confidentiality of the information received. The SPR
    is a record of how Agencies Required to                        the
    agency processes the federal taxpayer information and protects it
    from Follow to Safeguard                         unauthorized
    disclosure. Taxpayer Information? IRS Publication 1075 outlines
    what must be included in an agency's SPR.8 In addition to
    requiring that it be submitted on agency letterhead and signed by
    the head of the agency or the head's delegate, an agency's SPR
    must contain information about *  responsible officer(s), *
    location of the data, *  flow of the data, *  system of records, *
    secure storage of the data, *  access to the data, *  disposal of
    the data, *  computer security, and *  agency's disclosure
    awareness program. All federal agencies and the state welfare
    agencies are to submit their SPRs to IRS' Office of Safeguards,
    which is to review the reports for completeness and acceptance.
    State taxing agencies and child support 8See appendix VI for a
    summary of the requirements included in IRS Publication 1075. Page
    11                                                           GAO-
    GGD-99-164 Safeguarding Taxpayer Information B-282749 enforcement
    agencies are to submit their SPRs to the IRS District Disclosure
    Office in their respective states. Agencies are expected to submit
    a new SPR every 6 years or whenever significant changes occur to
    their safeguard program. IRS has taken steps to withhold taxpayer
    information from agencies if their SPRs did not fulfill the
    requirements set forth in IRC section 6103. Shown below are some
    recent examples of IRS notifying agencies that they would not be
    able to get taxpayer information because their SPRs were
    incomplete. *  In April 1999, IRS' Office of Safeguards notified
    the Arizona Department of Economic Security that, since IRS had
    not received an acceptable SPR, it was recommending to IRS' Office
    of FedState Relations that federal taxpayer information be
    withheld until the agency complied with the safeguarding
    requirements outlined in IRC section 6103. IRS' Office of
    Safeguards further advised that it would recommend to the Social
    Security Administration that tax information contained in the
    Beneficiary Earnings Exchange Record should not be forwarded to
    the department. *  In May 1999, IRS' Office of Safeguards notified
    the West Virginia Department of Health and Human Resources that
    additional information that IRS had requested in an earlier letter
    had not been provided and that it could not accept the procedures
    described in the department's draft SPR as adequately protecting
    federal taxpayer information from unauthorized disclosure. *  In
    June 1999, IRS' Office of Safeguards notified the Federal Bureau
    of Investigation that IRS was unable to accept the Bureau's SPR as
    describing adequate safeguard procedures to protect federal
    taxpayer information from unauthorized disclosure. Agencies are
    also required to file a Safeguard Activity Report (SAR) annually
    with IRS to advise it of any minor changes to the procedures or
    safeguards described in their SPR. The SAR is also to advise IRS
    of future actions that would affect the agency's safeguard
    procedures-for example, new computer equipment, facilities, or
    systems or the use of contractors, as permitted by law, to do
    programming, processing, or administrative services. Moreover, the
    SAR is to summarize the agency's current efforts to ensure
    confidentiality and certify that the agency is protecting taxpayer
    information pursuant to IRC section 6103(p)(4) and the agency's
    own security requirements. In addition to the SPRs and annual SARs
    that are sent to IRS, agencies' OIGs may also review agency
    programs for safeguarding taxpayer Page 12
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749
    information. For example, a March 1999 Department of Veterans
    Affairs (VA) OIG report outlined possible inappropriate requests
    for and subsequent use of taxpayer information by VA's Health
    Eligibility Center because of erroneous information supplied to
    them by some VA medical facilities.9 The OIG found that a large
    percentage of sampled cases did not have certain required
    documentation on file and, consequently, should not have been
    referred for income matching and verification. Before we notified
    IRS about the VA OIG report, neither Treasury nor IRS was aware of
    the report or its findings. After meeting with IRS to discuss the
    OIG findings, VA agreed to work with IRS on corrective actions.
    According to IRS, federal agency OIGs are not required to notify
    IRS of their findings involving tax returns and return
    information. In July 1999, IRS issued a memorandum to federal
    agency OIGs asking for their assistance in working with IRS in
    this area. IRS is supposed to conduct on-site reviews every 3
    years to ensure that How Frequently Is IRS agencies' safeguard
    procedures fulfill IRS requirements for protecting to Monitor
    Agencies'            taxpayer information. IRS' National Office of
    Governmental Liaison and Disclosure, Office of Safeguards, has
    overall responsibility for safeguard Adherence to the
    reviews to assess whether taxpayer information is properly
    protected from Safeguarding                    unauthorized
    inspection, disclosure, or use as required by the IRC and to
    Requirements?                   assist in reporting to Congress.
    The Office of Safeguards conducts the on- site reviews for all the
    federal agencies and state welfare agencies that receive taxpayer
    information. IRS' District Offices of Disclosure and FedState
    Relations are responsible for conducting the on-site safeguard
    reviews at all other state and local agencies that receive
    taxpayer information. There are 33 district offices, 29 of which
    have responsibilities for overseeing the safeguard reviews at
    state and local agencies. As of June 1999, there were 230
    professional and 24 support staff assigned to the national and
    district disclosure offices. (App. VIII shows the staffing levels
    of these offices.) In addition to overseeing the safeguarding
    program, the district offices have responsibility for a variety of
    other disclosure activities, such as responding to requests under
    the Freedom of Information Act or Privacy Act. According to IRS,
    staff from the responsible IRS office visit the agency to review
    the procedures established and used by the agency to protect
    taxpayer information from unauthorized disclosure. In addition,
    they assess the agency's need for, and use of, this information.
    IRS staff are to meet with agency personnel, review agency
    records, and visit agency 9Report No. 9R1-G01-054, Mar. 15, 1999.
    Page 13
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749
    facilities where taxpayer information is kept. They then prepare a
    report detailing their assessment of the agency's processes and
    ability to fulfill the requirements of IRC section 6103(p)(4). In
    addition to conducting the triennial safeguard reviews, IRS
    District Disclosure Office staff are to conduct annual "need and
    use" reviews at all state and local agencies involved in tax
    administration. These reviews are done to validate the agencies'
    continued need for and use of the tax information they receive
    from IRS. IRS' safeguard reviews over the last 5 years have
    identified discrepancies What Are the Results    in agency
    safeguard procedures and made recommendations for of IRS'
    Monitoring      corrections. The reviews have uncovered
    deficiencies with agency safeguarding procedures, ranging from
    inappropriate access of taxpayer Efforts?
    information by contractor staff to administrative matters, such as
    the failure to properly document the disposal of information.
    Discrepancies found by IRS during the safeguard reviews generally
    were procedural deficiencies and did not result in known
    unauthorized disclosures of taxpayer information. In their
    responses to the discrepancies found and recommendations made by
    IRS, agencies indicated that they would institute corrective
    actions. (App. VII provides examples of the discrepancies found by
    IRS during its safeguard reviews.) As noted above, one of the
    discrepancies that IRS found during safeguard reviews was that
    some agencies that received taxpayer information were using
    contractor personnel in a manner that might allow them access to
    taxpayer information. In its Report on Procedures and Safeguards
    Established and Utilized by Agencies for the Period January 1
    through December 31, 1998, IRS highlighted this problem to
    Congress. IRS found agencies using contractor personnel in setting
    up agency computer systems in a manner that permitted the
    contractors to see taxpayer information. IRS also found agencies
    using contractor personnel in the disposal of taxpayer
    information, without having agency personnel observe the process
    to ensure that contractor personnel did not "access" the
    information. One of the major changes to IRS Publication 1075 in
    March 1999 was the inclusion of a section devoted to the
    appropriateness of, and precautions with, using contractor
    personnel to assist an agency in fulfilling the part of its
    mission that requires the use of taxpayer information. Some types
    of administrative discrepancies found by IRS staff during
    safeguard reviews included, among other things, that Page 14
    GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 *
    agencies were not properly documenting what information had been
    destroyed; *  agency recordkeeping systems at field offices did
    not always meet the statutory requirements for accountability; *
    agencies were not properly tracking the shipment of paper
    documents containing federal taxpayer information; and *
    employees were not always aware of the criminal and civil
    penalties that can be imposed for unauthorized inspection or
    disclosure. We requested comments on a draft of this report from
    the Commissioner Agency Comments and of Internal Revenue.
    Officials representing the Assistant Commissioner for Our
    Evaluation                  Examination and the Commissioner's
    Office of Legislative Affairs provided IRS' comments at an August
    12, 1999, meeting.  IRS also provided written comments in an
    August 16, 1999, letter, which is reprinted in appendix X. IRS was
    in overall agreement with the draft report and said it fairly
    represented the scope and use of IRC section 6103 provisions
    regarding safeguarding taxpayer information.  IRS also provided
    some additional information and technical comments.  Where
    appropriate, we made changes to this report on the basis of these
    comments. We are sending copies of this report to Senator Fred
    Thompson, Chairman, and Senator Joseph I. Lieberman, Ranking
    Minority Member, Senate Committee on Governmental Affairs, and
    Representative Charles B. Rangel, Ranking Minority Member, House
    Committee on Ways and Means. We are also sending copies to the
    Honorable Lawrence H. Summers, Secretary of the Treasury; the
    Honorable Charles O. Rossotti, Commissioner of Internal Revenue;
    the Honorable Jacob Lew, Director, Office of Management and
    Budget; and other interested parties. We will also send copies to
    those who request them. If you or your staff have any questions
    concerning this report, please contact me or Joseph Jozefczyk at
    (202) 512-9110. Other major contributors to this report are
    acknowledged in appendix XI. Cornelia M. Ashby Associate Director,
    Tax Policy and Administration Issues Page 15
    GAO-GGD-99-164 Safeguarding Taxpayer Information Contents 1 Letter
    Appendix I: Lists of Federal, State, and Local Agencies
    20 Appendixes      Receiving Taxpayer Information Appendix II: IRC
    Section 6103 Subsections That                               24
    Authorize IRS to Disclose Taxpayer Information Subject to
    Safeguarding Requirements Appendix III: Overview of Information
    Provided to                            32 Federal Agencies Under
    the Provisions of IRC Section 6103 Appendix IV: Overview of
    Information Provided to State                       36 and Local
    Agencies Under the Provisions of IRC Section 6103 Appendix V:
    Possible Uses for Federal Taxpayer Data
    39 Provided to Federal, State, and Local Agencies Appendix VI:
    Summary of Tax Information Security                             41
    Guidelines for Federal, State, and Local Agencies Appendix VII:
    Examples of Deficiencies Found During                          47
    IRS' Reviews of Agencies' Safeguarding Procedures Appendix VIII:
    Staffing Levels for IRS' Office of                            54
    Safeguards Appendix IX: Questionnaires Used to Survey Federal,
    56 State, and Local Agencies Receiving Taxpayer Information
    Appendix X: Comments From the Internal Revenue
    60 Service Appendix XI: GAO Contacts and Staff Acknowledgments
    61 Table 1: Examples of Types of Taxpayer Information
    6 Tables          Received by Federal, State, and Local Agencies
    Table 2: Formats in Which Agencies Received Taxpayer
    7 Information From IRS in 1997 or 1998 Table 3: Frequencies With
    Which Agencies Received                             8 Taxpayer
    Information From IRS in 1997 or 1998 Table 4:  Other Sources of
    Data Agencies Used in Lieu of                      9 Taxpayer
    Information Table 5:  How Taxpayer Information Was Used by
    11 Federal, State, and Local Agencies in 1997 or 1998 Table I.1:
    List of Federal Agencies Receiving Taxpayer
    20 Information Table I.2:  List of State and Local Agencies
    Receiving                       21 Taxpayer Information Page 16
    GAO-GGD-99-164 Safeguarding Taxpayer Information Contents Table
    II.1: IRC Authorization for Federal Agencies to
    30 Receive Taxpayer Information Table II.2: IRC Authorization for
    State and Local Agencies                   31 to Receive Taxpayer
    Information Table III.1:  Disclosure to Federal Agencies for Tax
    32 Administration and the Administration of Federal Laws Not
    Related to Tax Administration Table III.2:  Disclosure to Federal
    Agencies for Statistical                 33 Purposes Table III.3:
    Disclosure to Federal Agencies for Purposes                     34
    Other Than Tax Administration Table III.4:  Disclosure to Federal
    Agencies for Collecting                  35 Certain Federal Claims
    and Taxes and for Locating Donors Table IV.1: Disclosure to State
    Tax Officials and State and                  36 Local Law
    Enforcement Agencies Table IV.2: Disclosure to State and Local
    Child Support                      38 Enforcement Agencies Table
    IV.3: Disclosure to State and Local Welfare
    38 Agencies Table V.1: Possible Uses of Taxpayer Information by
    39 Federal, State, and Local Agencies Table VII.1: Examples of
    Agency Deficiencies Found                           53 During IRS'
    Safeguard Reviews Figure IX.1: Survey of Federal Agencies
    Receiving                            56 Figures      Taxpayer Data
    Figure IX.2: Survey of State and Local Agencies Receiving
    58 Taxpayer Data Page 17                         GAO-GGD-99-164
    Safeguarding Taxpayer Information Contents Abbreviations ATF
    Bureau of Alcohol, Tobacco, and Firearms FMS         Financial
    Management Services HCFA        Health Care Financing
    Administration IRC         Internal Revenue Code IRS
    Internal Revenue Service OCSE        Office of Child Support
    Enforcement OIG         Office of the Inspector General OPM
    Office of Personnel Management RRB         Railroad Retirement
    Board SSA         Social Security Administration VA
    Department of Veterans Affairs SAR         Safeguards Activity
    Report SPR         Safeguards Procedures Report Page 18
    GAO-GGD-99-164 Safeguarding Taxpayer Information Page 19    GAO-
    GGD-99-164 Safeguarding Taxpayer Information Appendix I Lists of
    Federal, State, and Local Agencies Receiving Taxpayer Information
    The Internal Revenue Service (IRS) provided us with the following
    list of federal agencies in the Washington, D.C., metropolitan
    area that received, or maintained records containing, taxpayer
    data under the authority of Internal Revenue Code (IRC) section
    6103. Table I.1:  List of Federal Agencies Receiving Taxpayer
    Information 1 Agency for International Developmenta
    14 Department of Transportation 2 Central Intelligence Agency
    Federal Aviation Administration 3 Defense Finance and Accounting
    Service                                  Office of the Secretary
    of Transportation, TASC 4 Department of Agriculture
    Research and Special Programs Farm Service Agency
    U.S. Coast Guard Food and Nutrition Service
    15 Department of the Treasury National Finance Center
    Financial Management Service Office of the Inspector General
    Office of the Inspector General Risk Management Agency
    U.S. Customs Service Rural Development
    U.S. Secret Service, Financial Management Division 5 Department of
    Commerce                                                  U.S.
    Secret Service, Investigative Support Division Bureau of Economic
    Analysis                                    16 Department of
    Veterans Affairs Economic Planning and Coordination Division
    Debt Management Center Planning Research and Evaluation Division
    Veterans Benefits Administration Office of Financial Management
    17 Environmental Protection Agencya 6 Department of Education
    18 Equal Employment Opportunity Commission 7 Department of Energya
    19 Federal Emergency Management Agency 8 Department of Health and
    Human Services                          20 General Accounting
    Office Office of Child Support Enforcement
    21 General Services Administration Program Support Center
    22 National Archives and Records Administration 9 Department of
    Housing and Urban Development                             Office
    of the General Counsel Albany Financial Operations Center
    Records Center Facilities Real Estate Assessment Center
    23 National Labor Relations Board 10 Department of the Interior
    24 National Science Foundation 11 Department of Justice
    25 Office of Independent Counsel Antitrust Division
    26 Office of Personnel Management Civil Division
    27 Pension Benefit Guaranty Corporation Debt Collection Management
    28 Securities and Exchange Commission Federal Bureau of
    Investigation                                29 Small Business
    Administration Office of Professional Responsibility
    30 Social Security Administration Tax Division
    Office of the Inspector General U.S. Attorneys Offices
    Office of Policy, Office of Research, Evaluation, and Statistic 12
    Department of Labor
    Office of Program Benefits Office of the Chief Financial Officer
    Office of Systems Requirements Office of the Inspector General
    31 United States Marine Corps Pension and Welfare Benefits
    Administration                    32 U.S. Information Agency Plans
    Benefits Security Division                               33 U.S.
    Peace Corps 13 Department of State
    34 U.S. Postal Service General Accounting Section Postal
    Inspection Service aIn responding to our questionnaire, these
    agencies indicated that they had not received any taxpayer
    information in 1997 or 1998. Page 20
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix I Lists
    of Federal, State, and Local Agencies Receiving Taxpayer
    Information In addition, IRS identified the following six entities
    not in the Washington, D.C., metropolitan area that received
    taxpayer information. These were: *  Army and Air Force Exchange,
    Dallas, TX *  Department of the Treasury, Bureau of Public Debt,
    Parkersburg, WV *  Navy Exchange Service Command, Virginia Beach,
    VA *  Department of the Treasury, U.S. Customs, Indianapolis, IN *
    Department of Veteran Affairs, Fort Snelling, MN *  U.S. Railroad
    Retirement Board, Chicago, IL As agreed with your office, we did
    not include these six in our survey because they were located
    outside the Washington, D.C., metropolitan area. IRS provided us
    with the following list of state and local agencies that received,
    or maintained records containing, taxpayer data under the
    authority of IRC section 6103. Table I.2:  List of State and Local
    Agencies Receiving Taxpayer Information 1    Alabama Child Support
    Enforcement Agency                        28 Connecticut
    Department of Social Services 2    Alabama Department of Human
    Resources                           29 Delaware Child Support
    Enforcement Agency 3    Alabama Department of Revenue
    30 Delaware Department of Transportation 4    Alabama Medicaid
    Agency                                         31 Delaware
    Division of Revenue 5    Alaska Child Support Enforcement Agency
    32 Delaware Health & Social Services 6    Alaska Department of
    Health & Social Services                   33 District of Columbia
    Office of Corporation Counsel 7    Alaska Department of Revenue
    34 District of Columbia Department of Human Services 8    American
    Samoa Department of Treasury                           35 District
    of Columbia Office of Tax & Revenue 9    Arizona Department of
    Economic Security                         36 Florida Department of
    Children & Family Services 10 Arizona Department of Revenue
    37 Florida Department of Revenue 11 Arizona Department of
    Transportation                              38 Georgia Child
    Support Enforcement Agency 12 Arizona Health Care Cost Containment
    System                       39 Georgia Department of Human
    Resources 13 Arkansas Department of Finance & Administration
    Revenue           40 Georgia Department of Labor 14 Arkansas
    Department of Human Services                             41
    Georgia Department of Revenue 15 Arkansas Department of Labor
    42 Guam Child Support Enforcement Agency 16 Arkansas Office of
    Child Support Enforcement                      43 Guam Department
    of Revenue & Taxation 17 California State Controller's Office
    44 Hawaii Child Support Enforcement Agency 18 California
    Department of Social Services                          45 Hawaii
    Department of Human Services 19 California Employment Development
    Department                      46 Hawaii Department of Labor &
    Industrial Relations 20 California Franchise Tax Board
    47 Hawaii Department of Taxation 21 California State Board of
    Equalization                            48 Idaho Department of
    Health & Welfare 22 Colorado Department of Human Services
    49 Idaho Department of Labor 23 Colorado Department of Labor &
    Employment                         50 Idaho Department of Revenue
    24 Colorado Department of Revenue
    51 Idaho State Tax Commission 25 Colorado Department of Social
    Services                            52 Illinois Attorney General's
    Office 26 Connecticut Bureau of Child Support
    53 Illinois Department of Human Services 27 Connecticut Department
    of Revenue Services                        54 Illinois Department
    of Public Aid Page 21                               GAO-GGD-99-164
    Safeguarding Taxpayer Information Appendix I Lists of Federal,
    State, and Local Agencies Receiving Taxpayer Information 55
    Illinois Department of Revenue
    105 MissouriKansas City Revenue Division 56 Illinois Office of
    Child Support Enforcement                       106 MissouriCity
    of St. Louis Revenue Department 57 Indiana Family & Social
    Services Administration                    107 Montana Department
    of Justice 58 Indiana Department of Revenue
    108 Montana Department of Public Health & Human Services 59
    Indiana Department of Workforce Development
    109 Montana Department of Revenue 60 Indiana Office of Child
    Support Enforcement                        110 Montana Department
    of Social & Rehabilitation Services 61 Iowa Child Support
    Enforcement Agency                              111 Montana
    Department of Transportation 62 Iowa Department of Human Services
    112 Nebraska Child Support Enforcement Agency 63 Iowa Department
    of Finance & Revenue                               113 Nebraska
    Department of Health & Human Services 64 Iowa Workforce
    Development                                         114 Nebraska
    Department of Labor 65 Kansas Department of Revenue
    115 Nebraska Department of Revenue 66 Kansas Department of Social
    & Rehabilitative Services              116 Nebraska Department of
    Social Services 67 Kentucky Cabinet for Families & Children
    117 Nevada Department of Human Resources 68 Kentucky Revenue
    Cabinet                                           118 Nevada
    Department of Motor Vehicles 69 Kentucky Workforce Development
    119 Nevada Department of Taxation 70 KentuckyLouisville/Jefferson
    County Revenue Commission            120 Nevada Department of
    Human Resources 71 Louisiana Child Support Enforcement Agency
    121 New Hampshire Child Support Enforcement Agency 72 Louisiana
    Department of Health & Hospitals                         122 New
    Hampshire Department of Employment 73 Louisiana Department of
    Revenue                                    123 New Hampshire
    Department of Health & Human Services 74 Louisiana Department of
    Social Services                            124 New Hampshire
    Department of Revenue 75 Louisiana State Police
    125 New Hampshire Department of Safety 76 Maine Bureau of
    Employment                                         126 New Jersey
    Department of Human Services 77 Maine Child Support Enforcement
    Agency                             127 New Jersey Department of
    Labor 78 Maine Department of Human Services
    128 New Jersey Division of Taxation 79 Maine Revenue Services
    129 New Mexico Human Services Department 80 Maryland Child Support
    Enforcement Agency                          130 New Mexico
    Department of Labor 81 Maryland Controller of the Treasury
    131 New Mexico Taxation & Revenue Department 82 Maryland
    Department of Human Resources                             132 New
    York Department of Labor 83 Maryland Department of Labor
    133 New York Department of Social Services 84 Massachusetts Child
    Support Enforcement Agency                     134 New York
    Department of Taxation & Finance 85 Massachusetts Department of
    Employment Services                    135 New York City
    Department of Finance 86 Massachusetts Department of Revenue
    136 North Carolina Department of Health & Human Services 87
    Massachusetts Department of Transitional Assistance
    137 North Carolina Department of Human Resources 88 Massachusetts
    Division of Medical Assistance                       138 North
    Carolina Department of Revenue 89 Michigan Family Independence
    Agency                                139 North Dakota Department
    of Human Services 90 Michigan Department of Treasury
    140 North Dakota Office of State Tax Commissioner 91 Michigan
    Office of Child Support Enforcement                       141 Ohio
    Bureau of Employment Services 92 MichiganCity of Detroit Income
    Tax Bureau                         142 Ohio Department of Human
    Services 93 Minnesota Department of Economic Security
    143 Ohio Department of Taxation 94 Minnesota Department of Human
    Services                             144 OhioCity of Cincinnati
    Income Tax Bureau 95 Minnesota Department of Revenue
    145 OhioCity of Cleveland Division of Taxation 96 Minnesota
    Department of Social Services                            146
    OhioCity of Columbus Income Tax Division 97 Mississippi Child
    Support Enforcement Agency                       147 OhioCity of
    Toledo Division of Taxation 98 Mississippi Department of Human
    Services                           148 Oklahoma Department of
    Human Services 99 Mississippi Department of Public Safety
    149 Oklahoma Tax Commission 100 Mississippi Division of Medicaid
    150 Oregon Child Support Enforcement Agency 101 Mississippi State
    Tax Commission                                  151 Oregon
    Department of Human Resources 102 Missouri Department of Revenue
    152 Oregon Department of Revenue 103 Missouri Department of Social
    Services                            153 Pennsylvania Department of
    Public Welfare 104 Missouri Division of Employment Security
    154 Pennsylvania Department of Revenue Page 22
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix I Lists
    of Federal, State, and Local Agencies Receiving Taxpayer
    Information 155 PennsylvaniaCity of Philadelphia Department of
    Revenue         186 Vermont Division of Motor Vehicles 156
    PennsylvaniaCity of Pittsburgh Department of Finance           187
    Virginia Child Support Enforcement Agency 157 Puerto Rico
    Department of Social Services                       188 Virginia
    Department of Motor Vehicles 158 Puerto Rico Department of the
    Family                            189 Virginia Department of
    Social Services 159 Puerto Rico Department of the Treasury
    190 Virginia Department of Taxation 160 Puerto Rico Department of
    Welfare                               191 Virgin Islands Bureau of
    Health Insurance & Medical Assistance 161 Puerto Rico Division of
    Medicaid                                192 Virgin Islands Bureau
    of Internal Revenue 162 Rhode Island Child Support Enforcement
    Agency                   193 Virgin Islands Department of Finance
    163 Rhode Island Department of Human Services
    194 Virgin Islands Department of Human Services 164 Rhode Island
    Department of Administration                       195 Virgin
    Islands Department of Justice, Child Support Enforcement 165 South
    Carolina Department of Revenue                            196
    Washington Child Support Enforcement Agency 166 South Carolina
    Department of Social Services                    197 Washington
    Department of Social & Health Services 167 South Carolina
    Employment Services                              198 Washington
    State Department of Revenue 168 South Dakota Department of Labor
    199 Washington Department of Licensing 169 South Dakota Department
    of Revenue                              200 Washington Department
    of Labor & Industry 170 South Dakota Department of Social Services
    201 Washington State Employment Security 171 Tennessee Department
    of Employment Security                     202 West Virginia Child
    Support Enforcement Agency 172 Tennessee Department of Human
    Services                          203 West Virginia Department of
    Employment 173 Tennessee Department of Revenue
    204 West Virginia Department of Health & Human Services 174
    TennesseeNashville Metropolitan Police Department              205
    West Virginia Department of Tax & Revenue 175 Texas Department of
    Human Services                              206 Wisconsin Child
    Support Enforcement Agency 176 Texas Disposal Systems
    207 Wisconsin Department of Industry & Labor 177 Texas Office of
    the Attorney General, Child Support             208 Wisconsin
    Department of Revenue Enforcement 178 Texas Comptroller of Public
    Accounts                            209 Wisconsin Department of
    Workforce Development 179 Texas Workforce/Employment Commission
    210 Wyoming Department of Employment 180 Utah Department of
    Workforce Services                           211 Wyoming
    Department of Family Services 181 Utah State Tax Commission
    212 Wyoming Department of Revenue 182 Vermont Child Support
    Enforcement Agency                        213 Wyoming Department
    of Social Service 183 Vermont Department of Employment Services
    214 Wyoming Department of Transportation 184 Vermont Department of
    Social Welfare                            215 Wyoming State
    Auditor's Office 185 Vermont Department of Taxes Page 23
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix II IRC
    Section 6103 Subsections That Authorize IRS to Disclose Taxpayer
    Information Subject to Safeguarding Requirements Certain federal,
    state, and local agencies, and others are authorized under IRC
    Section 6103               Internal Revenue Code (IRC) section
    6103 to receive taxpayer information from the Internal Revenue
    Service (IRS). The following describes the agencies, bodies,
    commissions, and other agents authorized by IRC section 6103
    subsections to obtain taxpayer information, subject to
    safeguarding requirements prescribed in IRC section 6103(p)(4).
    Disclosures of taxpayer information can be made to state taxing
    agencies IRC Section 6103(d)           and state and local law
    enforcement agencies that assist in the Disclosures to State Tax
    administration of state tax laws. Disclosures under this section
    are to be Agencies and State and         used only for tax
    administration purposes, and states must justify the need Local
    Law Enforcement          for this information and must use the
    data provided. Agencies (Officers and         Certain disclosures
    of taxpayer information can be made to Committees of Employees IRC
    Sect ) for Tax ion 6103(f)       Congress and their agents upon
    written request from the Chairman of the Administrat Disclosu
    ion Purposes res to Committees    House Committee on Ways and
    Means, the Senate Committee on Finance, of Congress
    or the Joint Committee on Taxation. Taxpayer information that can
    be associated with, or otherwise identify (directly or
    indirectly), a particular taxpayer can only be furnished to the
    Committee when in closed executive session, unless a taxpayer
    otherwise consents in writing to the disclosure. Agents, such as
    the General Accounting Office, and certain other Committees may
    also receive taxpayer information under subsections (f)(3) and
    (4). 6103(h)(2)Disclosures of taxpayer information can be made to
    the IRC Section 6103(h)           Department of Justice for
    proceedings involving tax administration before Disclosures to
    Federal         a federal grand jury or any proceedings or
    investigation that may result in a Agencies (Officers and
    proceeding before a federal grand jury or federal or state court.
    Employees) for Tax             6103(h)(5)Disclosures of the
    address and status of a nonresident alien, Administration Purposes
    citizen, or resident of the United States to the Social Security
    Administration (SSA) and Railroad Retirement Board can be made for
    purposes of carrying out responsibilities for withholding tax
    under section 1441 of the Social Security Act for Social Security
    benefits. Page 24                          GAO-GGD-99-164
    Safeguarding Taxpayer Information Appendix II IRC Section 6103
    Subsections That Authorize IRS to Disclose Taxpayer Information
    Subject to Safeguarding Requirements 6103(i)(l) and (2)Disclosures
    of taxpayer and other information can be IRC Section 6103(i)-
    made for use in certain criminal investigations. Disclosures to
    Federal Agencies (Officers and         6103(i)(3)Disclosures of
    taxpayer information can be used to apprise Employees) for
    appropriate officials of criminal activities or emergency
    circumstances. Administration of Federal
    6103(i)(5)Disclosures of taxpayer information can be made to
    locate Laws Not Related to Tax        fugitives from justice upon
    the grant of an ex parte order by a federal Administration
    district court judge or magistrate. 6103(i)(7)Disclosures of
    taxpayer information can be made to officers and employees of the
    General Accounting Office in conducting audits of IRS; Bureau of
    Alcohol, Tobacco and Firearms (ATF); and any agency authorized by
    6103(p)(6). 6103(j)(1)Disclosures of taxpayer information can be
    made to the IRC Section 6103(j)           Department of Commerce
    (Census and Bureau of Economic Analysis). Disclosures for
    Statistical Use                            6103(j)(2)Disclosures
    of taxpayer information can be made to the Federal Trade
    Commission for statistical purposes. Only corporate returns can be
    disclosed for legally authorized economic surveys of corporations.
    (According to IRS, this section is obsolete because the Federal
    Trade Commission no longer performs these economic surveys.)
    6103(j)(5)Disclosures of taxpayer information can be made to the
    Department of Agriculture for the purpose of structuring,
    preparing, and conducting the census of agriculture pursuant to
    the Census of Agriculture Act of 1997. Disclosures of taxpayer
    information can be made to the Department of the IRC Section
    6103(k)(8)        Treasury's Financial Management Service (FMS)
    for levies related to any Disclosure for Certain Other federal
    debt. Tax Administration Purposes IRC section 6103(l)(1) and
    (l)(5) allow a specific type of disclosure IRC Section 6103(l)
    between IRS and SSA commonly known as the Continuous Work History
    Disclosures for Purposes       Sample Program. Under this
    disclosure, a small sample (approximately 1%) Other Than Tax
    of the U.S. population's Social Security-related data, wage
    information, and Administration                 self-employment
    data is collected and used (1) for various studies to monitor
    trends that may affect Social Security programs; (2) as a model to
    assist in determining the effects of proposed program changes,
    including Page 25                              GAO-GGD-99-164
    Safeguarding Taxpayer Information Appendix II IRC Section 6103
    Subsections That Authorize IRS to Disclose Taxpayer Information
    Subject to Safeguarding Requirements proposed legislative or
    administrative changes; and (3) to assess funding requirements
    related to trust funds and the budget. 6103(l)(1)Disclosures of
    taxpayer information can be made to the Social Security
    Administration and Railroad Retirement Board for the
    administration of the Social Security Act and the Railroad
    Retirement Act. The common name for this disclosure is the
    Administration of the Social Security Act Program. Section
    6103(l)(1) is very specific as to what information may be
    disclosed to SSA, and part of this information may be used by SSA
    only for purposes of carrying out its responsibility under section
    1131 of the Social Security Act. 6103(l)(2)Disclosures of taxpayer
    information can be made to the Department of Labor and the Pension
    Benefit Guaranty Corporation for administration of titles I and IV
    of the Employee Retirement Income Security Act of 1974.
    6103(l)(3)Disclosures of taxpayer information can be made to any
    federal agency administering a federal loan program.
    6103(l)(5)Disclosures of taxpayer information can be made to the
    Social Security Administration for the purposes of (1) carrying
    out an effective return processing program pursuant to section 232
    of the Social Security Act and (2) providing information regarding
    the mortality status of individuals for epidemiological and
    similar research in accordance with section 1106(d) of the Social
    Security Act. The common name for this disclosure is the Annual
    Wage Reporting Program. Section 6103(l)(5) permits SSA and IRS to
    work together to process and share certain information. SSA and
    IRS conduct a number of exchanges to identify whether employee,
    employer, and wage data are correct and employers are submitting
    information as legally required. 6103(l)(6)Disclosures of taxpayer
    information can be made to federal, state, and local child support
    enforcement agencies for the purposes of establishing and
    collecting child support obligations from individuals owing such
    obligations, including locating such individuals. Under IRC
    section 6103(p)(2), in conjunction with section 6l03(l)(6), IRS
    has authorized SSA to make disclosures to the Office of Child
    Support Enforcement, a federal agency that oversees child support
    enforcement at the federal level and acts as a coordinator for
    most programs involved with child support enforcement. Page 26
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix II IRC
    Section 6103 Subsections That Authorize IRS to Disclose Taxpayer
    Information Subject to Safeguarding Requirements
    6103(l)(7)Disclosures of taxpayer information can be made to
    federal, state, and local agencies administering certain benefits
    programs for the purposes of determining eligibility for, or
    correct amount of, benefits under such programs. Section
    6103(l)(7) states that SSA will provide its return information
    [obtained under 6103(l)(1) or (5)] to other agencies to assist
    them with specific welfare programs. The states (and other
    authorized agencies) provide the names and Social Security numbers
    of welfare applicants or recipients, and SSA provides the
    authorized information, such as wages and self-employment (net
    earnings) and retirement income. This disclosure between SSA and
    the other agencies is called the Beneficiary and Earnings Data
    Exchange Program. A similar program, the 1099 Program, involves
    the disclosure of unearned income information between IRS and
    federal, state, and local agencies administering these programs.
    6103(l)(8)Disclosures of taxpayer information can be made by SSA
    to other state and local child support enforcement agencies for
    the same purposes as 6103(l)(6).1 6103(l)(9)Disclosures of
    taxpayer information can be made to state administrators of state
    alcohol laws for use in the administration of such laws. The
    disclosure is limited to information on alcohol fuel producers
    only. 6103(l)(10)Disclosures of specific taxpayer information
    relating to tax refund offsets can be made to the agency
    requesting such offsets in order to collect specified debts, such
    as student loans or child support payments. This disclosure
    between IRS and other agencies was known as the Tax Refund Offset
    Program. This program is currently undergoing a "transition." In
    the past, agencies received pre-offset debtor addresses, debtor
    identity information, the filing status (if joint), and any
    payment amount to the spouse of a joint return from IRS. Effective
    January 1, 1999, Treasury's Financial Management Service assumed
    complete responsibility for the Treasury Offset Program. Except in
    the case of tax refund offsets to collect child support debts,
    agencies are now receiving offset information under the Treasury
    Offset Program procedures. Tax refund offset will, in general, be
    blended, or amalgamated, with other Treasury "offsets," such as
    salary offsets. FMS is to perform the blending and tax information
    is not to be identified beyond FMS, except for agencies involved
    in collecting child support debts. When tax refund offset
    information is blended and 1According to IRS data, there are
    currently no disclosures being made under 6103(8). Section
    6103(l)(6) allows IRS to provide the same information to federal,
    state, and local agencies. Page 27
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix II IRC
    Section 6103 Subsections That Authorize IRS to Disclose Taxpayer
    Information Subject to Safeguarding Requirements unidentifiable
    under the Treasury Offset Program procedures, it is no longer
    considered return information and section 6103(p)(4) safeguarding
    procedures are not required. 6103(l)(11)Disclosures of taxpayer
    information can be made by SSA to the Office of Personnel
    Management (OPM) for the purpose of administering the federal
    employees' retirement system (chs. 83 and 84 of title 5, U.S.C.).
    The common name for this disclosure between SSA and OPM is the
    Federal Employees' Retirement System Program. It involves a
    computer match where OPM provides the names and Social Security
    numbers of federal employees participating in the federal
    retirement system and SSA provides the wages, self-employment
    earnings, and retirement income information obtained under IRC
    sections 6103(l)(1) and (l)(5). 6103(l)(12)Taxpayer information
    can be disclosed by IRS to SSA and by SSA to the Health Care
    Financing Administration (HCFA) to administer the Medicare
    program. The common name for this type of disclosure is the
    Medicare Secondary Payer Project. The purpose of this disclosure
    is to identify the employment status of Medicare beneficiaries to
    determine if medical care is covered by group health plans. It
    permits IRS to provide SSA with identity information, filing and
    marital status, and spouse's name and Social Security number for
    specific years for any Medicare beneficiary identified by SSA. It
    also permits SSA to disclose to HCFA the names and Social Security
    numbers of Medicare beneficiaries receiving wages above a
    specified amount. Additionally, it permits HCFA to disclose
    certain return information to qualified employers and group health
    plans. 6103(1)(13)Disclosures of taxpayer information can be made
    to the Department of Education to administer the "Direct Student
    Loans" program.2 6103(l)(14)Disclosures of taxpayer information
    can be made to U.S. Customs to audit evaluations of imports and
    exports, and to take other actions to recover any loss of revenue
    or collection of duties, taxes, and fees determined to be due and
    owed as a result of such audits. 6103(1)(16)Disclosures of
    taxpayer information can be made by SSA to officers or employees
    of the Department of the Treasury, a trustee or any 2According to
    IRS, no disclosures have been made under this provision. Instead,
    the Department of Education has obtained taxpayer information
    pursuant to taxpayer consents under section 6103(c). Such
    disclosures are not subject to safeguards. Page 28
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix II IRC
    Section 6103 Subsections That Authorize IRS to Disclose Taxpayer
    Information Subject to Safeguarding Requirements designated
    officer, employee, or actuary of a trustee (as defined in the D.C.
    Retirement Protection Act), for the purpose of determining an
    individual's eligibility for, or the correct amount of, benefits
    under the District of Columbia Retirement Protection Act of 1997.
    6103(l)(17)Disclosures of taxpayer information can be made to the
    National Archives and Records Administration for the purposes of
    appraisal of records for destruction or retention. Section 6103
    (m)(2), (4), (6), and (7) are not subject to 6103(p)(4) IRC
    Section 6103(m)          safeguarding requirements unless address
    and entity information is Disclosures of Taxpayer
    redisclosed to an agent. If redisclosed to an agent, both the
    agency and the Identity Information          agent must safeguard
    the information. 6103(m)(2)Disclosures of taxpayer information can
    be made to federal agencies for collection of federal claims under
    the Federal Claims Collection Act. Section 6103(m)(2) authorizes
    IRS to provide the mailing addresses of taxpayers to any federal
    agency to locate taxpayers in an attempt to collect federal
    claims. The common names for this type of disclosure is Taxpayer
    Address Request Program or the Recovery and Collection of
    Overpayment Process. It involves the federal agency providing IRS
    with a listing of debtors, identified by Social Security number
    and name, and IRS then providing the agency with the same
    information and the latest known address. 6103(m)(4)Disclosures of
    taxpayer information can be made to the Department of Education
    for collection of Student Loans. 6103(m)(6)Disclosures of taxpayer
    information can be made to officers and employees of the Blood
    Donor Locator Service in the Department of Health and Human
    Services for the purpose of locating individuals to inform donors
    of the possible need for medical care and treatment relating to
    acquired immune deficiency syndrome. 6103(m)(7)Disclosures of
    taxpayers' mailing addresses can be made to SSA for the purpose of
    mailing the Personal Earnings and Benefit Estimate Statements
    (Social Security account statements). 6103(n)Disclosures of
    taxpayer information can be made to contractors IRC Section
    6103(n)          to the extent necessary and for the various
    activities and services related Disclosures to Contractors    to
    tax administration. These disclosures can only be made by the
    Treasury Department, a state tax agency, SSA, and the Department
    of Justice and in accordance with regulations prescribed by the
    IRS Commissioner. Page 29                              GAO-GGD-99-
    164 Safeguarding Taxpayer Information Appendix II IRC Section 6103
    Subsections That Authorize IRS to Disclose Taxpayer Information
    Subject to Safeguarding Requirements 6103(o)(1)Disclosures of
    taxpayer information can be made to ATF for IRC Section 6103(o)
    administering certain taxes on alcohol, tobacco, and firearms.
    Disclosures With Respect to Certain Taxes Tables II.1 and II.2
    show, for the agencies we surveyed that received taxpayer
    information in 1997 or 1998, the authorization under which they
    received the information. Table II.1: IRC Authorization for
    Federal Agencies to Receive Taxpayer Information IRC section 6103
    subsections Federal agency
    6103(d) 6103(f) 6103(h) 6103(i) 6103(j) 6103(l) 6103(m) 6103(o)
    Other Central Intelligence Agency
    X Defense Finance and Accounting Service
    X              X Department of Agriculture
    X          X                   X              X Department of
    Commerce
    X         X Department of Education
    X Department of Health and Human Services
    X Department of Housing and Urban Development
    X              X Department of the Interior
    X Department of Justice
    X          X                   X              X    X Department of
    Labor
    X                   X              X         X Department of State
    X Department of Transportation
    X                                  X         X Department of the
    Treasury                                                    X
    X                   X              X    X Department of Veterans
    Affairs
    X              X Equal Employment Opportunity Commission
    X Federal Emergency Management Agency
    X General Accounting Office                                  X
    X                    X                   X General Services
    Administration
    X National Archives and Records Administration
    X National Labor Relations Board
    X National Science Foundation
    X Office of Independent Counsel
    X          X Office of Personnel Management
    X Pension Benefit Guaranty Corporation
    X Securities and Exchange Commission
    X              X Small Business Administration
    X Social Security Administration
    X                   X              X United States Marine Corps
    X U.S. Information Agency
    X U.S. Peace Corps
    X          X                                  X U.S. Postal
    Service
    X Source: IRS' Office of Safeguards and agencies' responses to our
    survey. Page 30                                  GAO-GGD-99-164
    Safeguarding Taxpayer Information Appendix II IRC Section 6103
    Subsections That Authorize IRS to Disclose Taxpayer Information
    Subject to Safeguarding Requirements Table II.2: IRC Authorization
    for State and Local Agencies to Receive Taxpayer Information IRC
    section 6103 subsections State agency
    6103(d) 6103(f) 6103(h) 6103(I) 6103(j) 6103(l) 6103(m) 6103(o)
    Other Alabama Department of Human Resources
    X California State Controller's Office                       X
    California Department of Social Services
    X California Franchise Tax Board                             X
    Connecticut Department of Social Services
    X Delaware Department of Health & Social Services
    X District of Columbia Office of Corporate Counsel
    X District of Columbia Office of Tax & Revenue               X
    Florida Department of Children & Family Services
    X Georgia Department of Human Resources
    X Georgia Department of Revenue                              X
    Illinois Department of Human Services
    X Illinois Department of Public Aid
    X Kansas Department of Revenue                               X
    Kentucky Cabinet for Families & Children, Child
    X Support Enforcement Agency Kentucky Cabinet for Families &
    Children, Welfare
    X Division Louisiana Department of Health & Hospitals
    X Louisiana Department of Revenue                            X
    Massachusetts Department of Transitional
    X Assistance Mississippi Division of Medicaid
    X Missouri Department of Revenue                             X
    X Montana Department of Revenue                              X
    Nebraska Department of Health & Human
    X Services, Child Support Enforcement New Jersey Department of
    Human Services
    X New Mexico Human Services Department
    X Nevada Department of Human Resources
    X North Dakota Office of State Tax Commissioner              X
    Rhode Island Department of Administration                  X Texas
    Comptroller of Public Accounts                       X Virginia
    Department of Social Services, Division of
    X Child Support Enforcement Virginia Department of Social Services
    X Vermont Department of Taxes                                X
    Wisconsin Department of Revenue                            X West
    Virginia Department of Tax and Revenue                X Source:
    Agencies' responses to our survey. Page 31
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix III
    Overview of Information Provided to Federal Agencies Under the
    Provisions of IRC Section 6103 Internal Revenue Code (IRC) section
    6103 allows the Internal Revenue Service (IRS) to disclose
    taxpayer information to federal agencies and authorized employees
    of those agencies. Disclosure of taxpayer information is to be
    used strictly for the purposes outlined by federal statutes and in
    accordance with IRS policy and procedures. IRC sections 6103(h)
    and 6103(i) allow IRS to disclose taxpayer information to the
    employees and officers of any federal agency for tax
    administration purposes as well as for the administration of
    federal laws not related to tax. Under 6103(h), IRS can disclose
    information to the Department of Justice for federal tax
    investigations and to the Social Security Administration (SSA) and
    Railroad Retirement Board (RRB) for purposes of withholding
    taxes.1 IRC section 6103(i) allows the disclosure of information
    for use in federal nontax criminal investigations and other
    activities not related to tax administration. Table III.1 shows
    some types of taxpayer information disclosed and the disclosure
    format and frequency. Table III.1:  Disclosure to Federal
    Taxpayer information provided
    Format               Frequency Agencies for Tax Administration and
    the    Criminal tax investigation reports and taxpayer listings
    Hard copy Upon request Administration of Federal Laws Not Related
    to Tax Administration              Individual and business income
    tax return information
    Hard copy Upon request (individual and business master files and
    return transaction files) Individual and corporate income tax,
    estate tax, partnership,
    Hard copy Upon request fiduciary, excise tax, and exempt
    organization audit reports Payer and payee information from W-2s,
    K-1s, Form 1099s,
    Hard copy Upon request and Form 5498 Taxpayers' mailing addresses
    Hard copy Upon request Legend Form 1099s Interest, dividend, and
    miscellaneous income statements Form 5498 Individual Retirement
    Arrangement Information K-1s Beneficiary's, partnership's, or
    shareholder's share of income, deductions, credits, etc. W-2s Wage
    and tax statements Source: IRS' Office of Safeguards. IRC section
    6103(j) allows IRS to disclose taxpayer information to the
    Departments of Agriculture and Commerce and to officers and
    employees of the Department of the Treasury for statistical use.
    Table III.2 shows the types of taxpayer information disclosed and
    the disclosure format and frequency. 1Specifically, section
    6103(h)(5) permits the disclosure of taxpayer information to SSA
    and RRB. According to IRS data, no disclosures have been made
    under this provision for numerous years. Page 32
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix III
    Overview of Information Provided to Federal Agencies Under the
    Provisions of IRC Section 6103 Table III.2:  Disclosure to Federal
    Taxpayer information provided
    Format             Frequency Agencies for Statistical Purposes
    Information returns master file (SSN, name, address)
    Tape               Annually Individual master file extract (SSN,
    name, address, marital status, Tape
    Annually exemptions, dependents, income, and return type)
    Corporate income tax return information (name, address, EIN, net
    Tape
    Annually income or loss, assets, and gross receipts) Employment
    tax returns records (EIN, total compensation paid,
    Tape               Weekly taxable period, number of employees,
    total taxable wages paid, and tip income) Business master file
    entity (EIN, name, address, filing
    Tape               Monthly, requirements, accounting period, and
    employment code)
    annually a Weekly economic data and economic and agriculture
    census
    Tape               Annually (SSN, EIN, address, receipts,
    accounting period, wages, interest, assets, and cost of goods)
    Information from application for EIN
    Tape               Monthly, annually b Statistics of income
    corporate sample (credits, balance sheet,
    Tape               Annually income statement, and tax items)
    Legend EIN Employee identification number SSN Social Security
    number aSelected entity data such as EIN, name, address, etc., are
    disclosed annually. Changes in business status, such as those
    resulting from births, deaths, etc., are disclosed monthly.
    bMonthly disclosures are made to SSA, and with IRS approval, SSA
    can disclose information to Census annually. Source: IRS' Office
    of Safeguards. Under IRC section 6103(l), disclosures can be made
    to certain federal agencies for purposes other than for tax
    administration.2 Disclosure of taxpayer information can be made to
    any federal agency administering a federal loan program,3 as well
    as to those federal agencies administering certain programs under
    the Social Security Act, the Food Stamp Act of 1977, title 38
    U.S.C., or certain other housing assistance and benefits programs.
    Disclosures can also be made to SSA, RRB, the Pension Benefit
    Guaranty Corporation, and the Department of Labor for the
    administration of the Employee Retirement Income Security Act of
    1974 and for carrying out a return processing program. The
    Veterans Health Administration, Veterans Benefits Administration,
    and Department of Housing and Urban Development also receive
    federal taxpayer information from SSA and IRS under the authority
    of IRC section 2Sections 6103(l)(6), (7), and (8) also allow
    disclosure of taxpayer information to state and local agencies for
    child support and welfare purposes. 3Disclosure is limited to
    information regarding whether or not an applicant for a loan has a
    tax delinquent account. Page 33
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix III
    Overview of Information Provided to Federal Agencies Under the
    Provisions of IRC Section 6103 6103(l)(7) for use in administering
    programs authorized under title 38 and certain housing assistance
    programs. SSA also receives unearned income information from IRS,
    which it uses in administering the Supplemental Security Income
    program. Additionally, IRC section 6103(l) allows disclosure by
    SSA to the Health Care Financing Administration and to certain
    other agencies for determining eligibility for, or the correct
    amount of, benefits. Table III.3 shows the types of taxpayer
    information disclosed and the disclosure format and frequency.
    Table III.3: Disclosure to Federal      Taxpayer information
    provided                                         Format
    Frequency Agencies for Purposes Other Than Tax    Form 8300
    information                                                 Hard
    copy     Upon request Administration                          Tax
    liability and delinquency information
    Hard copy     Upon request W-2s and W-3s (wage data submitted by
    employers)                      Electronic, Upon request hard copy
    Unearned income from various Form 1099s
    Tape          Monthly Wages, self-employment earnings and
    retirement income                 Tape,         Monthly,
    electronic    annually SSN, filing and marital status, taxpayer
    name, addresses,             Tape,         Upon request employee
    EINs
    electronic Individual income tax return information (SSN, filing
    status,         Tape          Monthly amount and nature of income,
    number of dependents) Legend EIN Employee identification number
    Form 1099s Interest, dividend, and miscellaneous income statements
    Form 8300 Report of Cash Payments Over $10,000 Received in a Trade
    or Business SSN Social Security number W-2s and W-3s Wages and tax
    statements Note: Data regarding Social Security payments are not
    considered taxpayer information because they are derived from SSA
    records. Wage data obtained from W-2s and W-3s and self-employment
    income and other income data received from IRS are taxpayer
    information. Source: IRS' Office of Safeguards. IRC section
    6103(m) allows the disclosure of taxpayer information for
    collecting federal claims and for locating registered blood
    donors. All federal agencies can receive the information for
    collection of claims, such as student loans, under the Federal
    Claims Collection Act. The Department of Health and Human Services
    receives the taxpayer information as part of its Blood Locator
    Service, for the purpose of locating donors. IRC section 6103(o)
    allows disclosures of the collection of certain taxes on alcohol,
    tobacco, and firearms. Table III.4 shows the types of taxpayer
    information disclosed and the disclosure format and frequency.
    Page 34                                  GAO-GGD-99-164
    Safeguarding Taxpayer Information Appendix III Overview of
    Information Provided to Federal Agencies Under the Provisions of
    IRC Section 6103 Table III.4:  Disclosure to Federal
    Taxpayer information provided
    Format       Frequency Agencies for Collecting Certain Federal
    Social Security number, taxpayer name, address
    Tape         Weekly Claims and Taxes and for Locating Donors
    Taxpayer name, address
    Electronic Weekly Source: IRS' Office of Safeguards. Page 35
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IV
    Overview of Information Provided to State and Local Agencies Under
    the Provisions of IRC Section 6103 Under the provisions of
    Internal Revenue Code (IRC) section 6103(d), the Internal Revenue
    Service (IRS) is authorized to make disclosures for state tax
    administration purposes to state tax officials and state and local
    law enforcement agencies. In general, taxpayer information can be
    disclosed to any state agency, body, or commission, or its legal
    representative for the administration of state tax laws, including
    for locating any person who may be entitled to a state income tax
    refund. Table IV.1 shows some of the types of taxpayer information
    disclosed and the disclosure format and frequency. Table IV.1:
    Disclosure to State Tax    Taxyer information provided
    Format          Frequency Officials and State and Local Law
    Employment tax audit reports pertaining to Form 940 -
    Hard copy       Quarterly Enforcement Agencies
    Employers Annual Unemployment Tax Return Audit results and
    information regarding reclassification of           Hard copy
    Quarterly independent contractor to employee status Individual and
    corporate income tax, estate tax, partnership, Hard copy
    Monthly fiduciary, excise tax, and exempt organization audit
    reports Late-filed income tax returns with a balance due
    Hard copy       Quarterly Criminal tax investigation reports and
    taxpayer listing               Hard copy       Quarterly Dyed
    diesel fuel inspection reports
    Hard copy       Quarterly Business tax return information (master
    file and return               Tape            Annually transaction
    file) Form 1040 information and third-party information returns
    Tape            Quarterly (underreporter program file) Audit and
    appeals information (audit adjustments and                  Tape
    Annually appellate level results) Individual income tax return
    information (master file and             Tape            Annually
    return transaction file) Database of IRS third-party information
    returns (Form                 Tape            Annually 1099s, W-
    2s, K-1s) Payer and payee information from W-2s, K-1s, Form 1099s,
    Tape                         Monthly and Form 5498 Listing of
    taxpayers who did not itemize on their federal             Tape
    Annually income tax return Information on the taxpaying population
    of a given state              Tape            Upon request
    Taxpayers mailing addresses
    Tape            Weekly Legend Form 940 Employers Annual
    Unemployment Tax Return Form 1040 U.S. Individual Income Tax
    Return Form 1099s Interest, dividend, and miscellaneous income
    statements Form 5498 Individual Retirement Arrangement Information
    K-1s Beneficiary's, partnership's, and shareholder's share of
    income, deductions, credits, etc. W-2s Wage and tax statement
    Note: Agencies are also authorized to make specific requests for
    tax information for a taxpayer they are working with. This may
    include IRS examination and collection files, wage and income
    information, bankruptcy files, and filing requirements for tax
    administration purposes. Source: IRS' Office of Safeguards. In
    addition to the types of taxpayer information shown in table IV.1,
    in some states, the Attorney General's Office receives inheritance
    tax and Page 36                                    GAO-GGD-99-164
    Safeguarding Taxpayer Information Appendix IV Overview of
    Information Provided to State and Local Agencies Under the
    Provisions of IRC Section 6103 estate tax information from IRS,
    including tax credits and closing letters to taxpayers. This type
    of taxpayer information is disclosed quarterly on hard copy or
    magnetic tape. In certain states, such as Texas, that have no
    state income tax, the State Comptroller's Office-which is
    responsible for collecting state sales and inheritance taxes-
    receives taxpayer information from IRS. The taxpayer information
    consists of estate and gift tax audit reports and income
    information, such as Form 1099s, on hard copy or magnetic tape,
    and transcripts of business returns. This information is received
    on an ongoing, as well as on a case-by-case, basis. The state of
    Wyoming also does not have an income tax, but its department of
    transportation enforces fuel tax laws. IRS provides Wyoming with
    fuel tax adjustment results on hard copy and only upon specific
    request. Some cities, such as St. Louis and Kansas City, levy an
    income-based tax on their residents and those taxpayers that work
    in the city. These cities receive income tax audit reports from
    IRS when adjustments are made to wages or self-employment income.
    This information is received quarterly on hard copy. IRC section
    6103(l)(6) allows IRS to disclose taxpayer information to state
    and local child support enforcement agencies.1 In general,
    taxpayer information can be disclosed to any state or local child
    support enforcement agency for establishing and collecting child
    support obligations, including any procedure for locating
    individuals owing such obligations. IRC section 6103(l)(8) permits
    the Social Security Administration (SSA) to disclose certain
    taxpayer information to state and local child support enforcement
    agencies. However, section (l)(6) also permits the disclosure of
    the same information, and more, to federal, state, and local
    agencies. Currently, SSA is not making any disclosures of taxpayer
    information to state and local child support enforcement agencies
    under 6103 section (l)(8), but is making disclosures to the
    federal Office of Child Support Enforcement (OCSE) on behalf of
    IRS. OCSE provides the names and, if known, Social Security
    numbers. SSA performs computer matches and provides Social
    Security numbers from SSA records, the last known address from SSA
    records, and the address of the last known employer 1IRC section
    6103(l)(6) also permits IRS to disclose certain taxpayer
    information to federal agencies, such as the Office of Child
    Support Enforcement-a federal agency that oversees child support
    enforcement at the federal level and acts as a coordinator for
    most programs involved with child support enforcement. Page 37
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IV
    Overview of Information Provided to State and Local Agencies Under
    the Provisions of IRC Section 6103 from W-2 and W-3 taxpayer
    information. OCSE then provides the information to the state and
    local child support enforcement agencies. Table IV.2 shows the
    other types of taxpayer information disclosed and the disclosure
    format and frequency. Table IV.2: Disclosure to State and Local
    Taxpayer information provided
    Format Frequency Child Support Enforcement Agencies
    Taxpayer addresses
    Tape              Weekly Individual income tax return information
    (Social Security number,
    Tape              Monthly filing status, amount and nature of
    income, number of dependents) Source: IRS' Office of Safeguards.
    Under IRC section 6103(l)(7), disclosures can be made to state and
    local agencies administering certain programs under the Social
    Security Act, the Food Stamp Act of 1977, title 38 U.S.C., or
    certain other housing assistance and benefits programs. The
    Deficit Reduction Act of 1984 required state public assistance
    agencies administering certain programs under the Social Security
    Act2 or the Food Stamp Act of 19773 to establish an income
    eligibility verification system. These agencies receive federal
    taxpayer information under the authority of the IRC 6103(l)(7)
    from SSA and IRS to be used solely for the purpose of, and to the
    extent necessary in, determining eligibility for, or the correct
    amount of benefits,under, the specified programs. The agencies
    receive wage and self-employment information from SSA through
    electronic transmissions and unearned income information (Form
    1099s) from IRS through magnetic tapes. Table IV.3 shows the type
    of information disclosed and the disclosure format and frequency.
    Table IV.3: Disclosure to State and Local    Taxpayer information
    provided
    Format Frequency Welfare Agencies
    Taxpayer addresses
    Tape              Weekly Individual income tax return information
    (Social Security number,
    Tape              Monthly filing status, amount and nature of
    income, number of dependents) Note: Data from SSA regarding Social
    Security payments are not considered taxpayer information because
    they are derived from SSA records. Wages obtained from W-2s/W-3s
    and self-employment income and other income data received from IRS
    are taxpayer information. Source: IRS' Office of Safeguards.
    2Temporary Assistance for Needy Families and Medicaid are the
    programs commonly administered by state public assistance
    agencies. 3The Personal Responsibility and Work Opportunity
    Reconciliation Act of 1996 states that "Notwithstanding any other
    provision of law, in carrying out the food stamp program, a State
    agency shall not be required to use an income and eligibility or
    an immigration status verification system . . . ." Page 38
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix V
    Possible Uses for Federal Taxpayer Data Provided to Federal,
    State, and Local Agencies Internal Revenue Code (IRC) section 6103
    is very specific about the authorized use of any federal taxpayer
    data. During our study, Internal Revenue Service (IRS) officials
    and other federal and state officials indicated that there are
    many possible authorized uses for tax returns and return
    information in accordance with IRC section 6103 requirements.
    Agency officials stated that taxpayer information is used for tax
    administration and law enforcement purposes, for the
    administration of federal laws not related to tax administration,
    for statistical uses, for establishing and collecting child
    support obligations, and for determining eligibility for benefits.
    Table V.1 outlines some of the specific uses of federal taxpayer
    information. Table V.1: Possible Uses of Taxpayer        Agency
    Possible use Information by Federal, State, and Local    Federal
    Tax administration and tax withholding purposes Agencies
    Criminal investigation and litigation Reporting criminal
    activities Judicial or administrative procedures Enforce federal
    criminal or civil statutes Locate fugitives from justice
    Conducting government program audits Statistical purposes Offsets
    Storing and maintaining data for IRS Administration of welfare and
    public assistance programs Collection and enforcement of child
    support State and local    Verify taxpayer filed original or
    amended return and initiate state audit Initiate state penalty
    investigation Audit selection Provide listing of alleged violators
    of criminal tax laws Verify or update addresses Skip tracing Sales
    tax matching Identify nonfilers Determine discrepancies in
    reporting of income Identify S corporation shareholders who avoid
    state tax by taking dividends in lieu of wages Statistical and
    revenue forecasting Identify payers and employers not reporting to
    state and determine underreporters Identify partnerships with
    changes in number of partners to detect possible sale of
    partnership interest Compare officers' salaries and total wages
    paid on corporate returns to withholding tax filed Compare federal
    tax withheld to state tax withheld Locate delinquent taxpayers
    Identify out-of-state income
    (Continued) Page 39                                  GAO-GGD-99-
    164 Safeguarding Taxpayer Information Appendix V Possible Uses for
    Federal Taxpayer Data Provided to Federal, State, and Local
    Agencies Agency               Possible use State and local
    Motor fuels, estate, and gift tax enforcement Unearned income
    matching Provide income information for collection purposes
    Administration of welfare and public assistance programs Offsets
    Collection and enforcement of child support Civil and criminal
    investigation and litigation Source: IRS' Office of Safeguards.
    Page 40                                 GAO-GGD-99-164
    Safeguarding Taxpayer Information Appendix VI Summary of Tax
    Information Security Guidelines for Federal, State, and Local
    Agencies As a condition of receiving taxpayer information,
    agencies must show, to the satisfaction of the Internal Revenue
    Service (IRS), that their policies, practices, controls, and
    safeguards adequately protect the confidentiality of the taxpayer
    information they receive from IRS. The agencies must ensure that
    the information is used only as authorized by statute or
    regulation and disclosed only to authorized persons. IRS has
    implemented specific guidelines that all federal, state, and local
    agencies are to follow to properly safeguard taxpayer information.
    These guidelines, outlined in IRS Publication 1075, Tax
    Information Security Guidelines for Federal, State and Local
    Agencies, are summarized below. Federal, state, and local
    agencies, and other authorized recipients, may Requesting Taxpayer
    request taxpayer information from IRS in the form of a written
    request Information            signed by the head of the
    requesting agency or other authorized official. IRS also requires
    that a formal agreement-a Safeguard Procedures Report-be provided
    by the agency that specifies the procedures established and used
    by the agency to prevent unauthorized access and use and describes
    how the information will be used upon receipt. The Safeguard
    Procedures Report should be submitted to IRS at least 45 days
    before the scheduled or requested receipt of taxpayer information.
    Any agency that receives taxpayer information for an authorized
    use under Internal Revenue Code (IRC) section 6103 may not use the
    information in any manner or for any purpose not consistent with
    that authorized use. If an agency needs federal tax information
    for a different authorized use under a different provision of IRC
    section 6103, a separate request under that provision is
    necessary. An unauthorized secondary use is specifically
    prohibited and may result in discontinuation of disclosures to the
    agency and in the imposition of civil or criminal penalties on the
    responsible officials. Before granting agency officers and
    employees access to taxpayer information, officers and employees
    should certify that they understand security procedures and
    instructions requiring their awareness and compliance. Employees
    should be required to maintain their authorization to access
    taxpayer information through annual recertification. As part of
    the certification and at least annually, employees should be
    advised of the provisions of IRC 7213(a), 7213A, and 7431.1
    Agencies should make officers and employees aware that disclosure
    restrictions and the penalties apply even after employment with
    the agency has ended. 1IRC sections that prescribe civil and
    criminal penalties for unauthorized inspection or disclosure. Page
    41                                                           GAO-
    GGD-99-164 Safeguarding Taxpayer Information Appendix VI Summary
    of Tax Information Security Guidelines for Federal, State, and
    Local Agencies Taxpayer information may be obtained by state tax
    agencies from IRS only to the extent the information is needed,
    and is reasonably expected to be used, for state tax
    administration. Some state disclosure statutes and administrative
    procedures permit access to state tax files by other agencies,
    organizations, or employees not involved in tax matters. IRC
    6103(d) does not permit access to taxpayer information for
    purposes other than for state tax administration. State and local
    tax agencies are not authorized to furnish taxpayer information to
    other state agencies, tax or nontax, or to political subdivisions,
    such as cities or counties, for any purpose, including tax
    administration. State and local tax agencies may not furnish
    taxpayer information to any other states, even where agreements
    have been made, informally or formally, for the reciprocal
    exchange of state tax information. Also, nongovernment
    organizations, such as universities or public interest
    organizations performing research, cannot have access to taxpayer
    information. Statutes that authorize disclosure of taxpayer
    information do not authorize further disclosures. Unless IRC
    section 6103 provides for further disclosures by the agency, the
    agency cannot make such disclosures. Each agency must have its own
    exchange agreement with IRS or with the Social Security
    Administration (SSA). When an agency is receiving data under more
    than one section 6103 authorization, each exchange or release of
    taxpayer information must have a separate agreement. An agency's
    records of the taxpayer information it requests should include
    some account of the result of its use or why the information was
    not used. If an agency receiving taxpayer information on a
    continuing basis finds it is receiving information that, for any
    reason, it is unable to utilize, it should contact IRS to modify
    the request. Federal, state, and local agencies authorized under
    IRC section 6103 to Recordkeeping    receive taxpayer information
    are required by IRC section 6103 (p)(4)(A) to Requirements
    establish a permanent system of standardized records of requests
    made by or to them for disclosure of the information. The records
    are to be maintained for 5 years or for the applicable records
    control schedule, whichever is longer. When taxpayer information
    is received in electronic form, authorized employees of the
    recipient agency must be responsible for securing magnetic tapes
    or cartridges before processing and ensuring that the proper
    acknowledgment form is signed and returned to IRS. Tapes Page 42
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VI
    Summary of Tax Information Security Guidelines for Federal, State,
    and Local Agencies containing federal taxpayer information, any
    hard-copy printout of a tape, or any file resulting from the
    processing of a tape is to be recorded in a log that identifies
    (1) date received; (2) reel or cartridge control number contents;
    (3) number of records; (4) movement; and (5) if disposed of, the
    date and method of disposition. Taxpayer information, other than
    that in electronic form, must be maintained by (1) taxpayer name;
    2) tax year(s); (3) type of tax return or return information; (4)
    reason for the request; (5) date requested; (6) date received; (7)
    exact location of the taxpayer information; (8) who has had access
    to the data; and (9) if disposed of, the date and method of
    disposition. If the agency has the authority to make further
    disclosures, information disclosed outside the agency must be
    recorded on a separate list that reflects to whom the disclosure
    was made, what was disclosed, and why and when it was disclosed.
    IRS has categorized taxpayer and privacy information as high-
    security Secure Storage    items. Security for a document, item,
    or an area may be provided by locked containers of various types,
    vaults, locked rooms, locked rooms with reinforced perimeters,
    locked buildings, guards, electronic security systems, fences,
    identification systems, and control measures. The required
    security for taxpayer information received depends on the
    facility, the function of the agency, how the agency is organized,
    and what equipment is available. Agencies receiving taxpayer
    information are required to establish a uniform method of
    protecting data and items that require safeguarding. The Minimum
    Protection Standards System, which is utilized by most agencies,
    has been designed to provide agencies with a basic framework of
    minimum-security requirements. Since some agencies may require
    additional security measures, they should analyze their individual
    circumstances to determine the security needs at their facility.
    Care must be taken to deny access to areas containing taxpayer
    information during normal working hours. This can be accomplished
    by restricted areas, security rooms, or locked rooms. In addition,
    taxpayer information in any form (computer printout, photocopies,
    tapes, notes, etc.) must be protected during nonworking hours.
    This can be done through a combination of methods, including a
    secured or locked perimeter or secured area. Page 43
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VI
    Summary of Tax Information Security Guidelines for Federal, State,
    and Local Agencies When it is necessary to move taxpayer
    information to another location, plans must be made to properly
    protect and account for all of the information. Taxpayer
    information must be in locked cabinets or sealed packing cartons
    while in transit. Accountability should be maintained to ensure
    that cabinets or cartons do not become misplaced or lost. The
    handling of taxpayer information and tax-related documents must be
    such that the documents do not become misplaced or available to
    unauthorized personnel. Only those employees who have a need to
    know and to whom disclosures may be made under the provisions of
    the statute should be permitted access to information. In the
    event that taxpayer information is hand-carried by an individual
    in connection with a trip or in the course of daily activities, it
    must be kept with that individual and protected from unauthorized
    disclosure. Data stored and processed by computers and magnetic
    media should be physically secured and controlled in a restricted
    access area. If the confidentiality of the taxpayer information
    can be adequately protected, alternative work sites, such as
    employees' homes or other nontraditional work sites, can be used.
    Despite location, taxpayer information remains subject to the same
    safeguard requirements and the highest level of attainable
    security. Agencies are required by IRC 6103(p)(4)(C) to restrict
    access to taxpayer Restricting Access to    information only to
    persons whose duties or responsibilities require Taxpayer
    Information     access. Taxpayer information should be clearly
    labeled "federal tax information" and handled in such a manner
    that it does not become misplaced or available to unauthorized
    personnel. Access to taxpayer information must be strictly on a
    need-to-know basis. Information must never be indiscriminately
    disseminated, even within the recipient agency. Agencies must
    evaluate the need for taxpayer information before the data are
    requested or disseminated. An employee's background and security
    clearance should be considered when designating authorized
    personnel. No person should be given more taxpayer information
    than is needed to perform his or her duties. To avoid inadvertent
    disclosures, it is recommended that taxpayer information be kept
    separate from other information to the maximum extent possible. In
    situations where physical separation is impractical, the file
    should be clearly labeled to indicate the taxpayer information is
    Page 44                              GAO-GGD-99-164 Safeguarding
    Taxpayer Information Appendix VI Summary of Tax Information
    Security Guidelines for Federal, State, and Local Agencies
    included and the file should be safeguarded. Any commingling of
    data on tapes should be avoided. Processing of taxpayer
    information in magnetic media format, microfilms, photo
    impressions, or other formats should be performed by agency- owned
    and -operated facilities, or contractor or agency shared
    facilities. All systems that process taxpayer information must
    meet the provisions of OMB Circular A-130, appendix III and
    Treasury Directive Policy 71-10. The Department of Defense Trusted
    Computer System Evaluation Criteria (DOD 5200.28-STD), commonly
    called the "Orange Book," should be used as the basis for
    establishing systems that process taxpayer information. All
    computer systems processing, storing, and transmitting taxpayer
    information must have computer access protection controls
    (controlled access protection level C-2). To meet C-2
    requirements, the operating security features of the system must
    have (1) a security policy, (2) accountability, (3) assurance, and
    (4) documentation. Agencies should assign overall responsibility
    to an individual (security officer) who is knowledge about
    information technology and applications. This individual should be
    familiar with technical controls used to protect the system from
    unauthorized entry. The two acceptable methods of transmitting
    taxpayer information over telecommunications devices are
    encryption and the use of guided media. Encryption involves the
    altering of data objects in a way that the objects become
    unreadable until deciphered. Guided media involves the use of
    protected microwave transmissions or the use of end-to-end fiber
    optics. Connecting the agency's computer system to the Internet
    will require "firewall" protection to reduce the threat of
    intruders accessing data files containing taxpayer information.
    Agencies receiving taxpayer information from IRS are also required
    to conduct internal inspections. The purpose of these inspections
    is to ensure that adequate safeguard and security measures are
    maintained. Agencies should submit copies of these inspections to
    IRS with their annual Safeguard Activity Report. IRC section 6103
    (p)(4)(E) requires agencies receiving taxpayer Safeguard Reporting
    information to file a report that describes the procedures
    established and and Review             used by the agency for
    ensuring the confidentiality of the information received from IRS.
    The Safeguard Procedures Report is a record of how Requirements
    Page 45                              GAO-GGD-99-164 Safeguarding
    Taxpayer Information Appendix VI Summary of Tax Information
    Security Guidelines for Federal, State, and Local Agencies
    taxpayer information is to be processed and protected from
    unauthorized disclosure. Agencies should submit a new Safeguard
    Procedures Report every 6 years or whenever significant changes
    occur in their safeguard program. Agencies must file an annual
    Safeguard Activity Report, which advises IRS of changes to the
    procedures or safeguards described in the Safeguard Procedures
    Report. The Safeguard Activity Report also (1) advises IRS of any
    future actions that will affect the agency's safeguard procedures,
    (2) summarizes the agency's current efforts to ensure the
    confidentiality of the taxpayer information, and (3) certifies
    that the agency is protecting taxpayer information in accordance
    with IRC section 6103 requirements and the agency's own security
    requirements. A safeguard review is an on-site evaluation of the
    use of federal tax information received from IRS and the measures
    used by the receiving agency to protect that data. IRS conducts
    on-site reviews of agency safeguards regularly. Reviews of state
    and local agencies are conducted by IRS District Disclosure
    personnel. Reviews of federal agencies and state welfare agencies
    are conducted by the IRS Office of Governmental Liaison and
    Disclosure, Office of Safeguards. IRS safeguard reviews cover the
    six requirements of IRC section 6103(p)(4), which are (1)
    recordkeeping, (2) secure storage, (3) restricting access, (4)
    other safeguards, (5) reporting requirements, and (6) disposal.
    Agencies are required by IRC section 6103(p)(4)(F) to take certain
    actions Disposal of Taxpayer    upon completion of their use of
    taxpayer information in order to protect Information
    its confidentiality. Agency officials and employees should either
    return the information, and any copies, or make the information
    "undisclosable" and include in the agency's annual report a
    description of the procedures used. If the agency elects to return
    the information, a receipt process should be used. Taxpayer
    information should never be provided to agents or contractors for
    disposal unless authorized by the IRC. Page 46
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
    Examples of Deficiencies Found During IRS' Reviews of Agencies'
    Safeguarding Procedures The Internal Revenue Service (IRS)
    routinely conducts on-site reviews of agencies' safeguard
    procedures to ensure that the procedures fulfill IRS requirements
    for protecting taxpayer information from unauthorized disclosure.
    After completing the review, IRS prepares a report of its findings
    and recommendations and sends the report to the agency for
    comment. Upon receiving the agency's comments, IRS annotates its
    report to indicate whether it accepts responses as correcting any
    discrepancies reported. The following excerpts are examples of the
    findings, discussions, Case Examples    recommendations, agency
    responses, and IRS comments found in recent IRS reports of
    safeguard reviews. Case One Finding          The agency permitted
    a number of contractors to have access to return information. Some
    of the contractors are authorized to have access, while others are
    not. Also, when contractor access was authorized, the agency was
    not always including "safeguarding" clauses in all contracts.
    Discussion       The agency uses hundreds of contractors. Internal
    Revenue Code (IRC) section 6103 generally does not authorize
    contractors to have access to federal taxpayer information.
    Certain exceptions exist, such as section 6103(n), which permits
    contracts for tax administration purposes, and section 6103(m)(2)
    and (7), which permit disclosures for the collection of federal
    debt and for the mailing of personal earnings and benefits
    estimate statements, respectively. However, there is not an
    exception for the purposes of administering the agency
    responsibilities under the act, nor for most other IRC section
    6103 authorized disclosures. The agency uses contractors for the
    printing of the personal earnings and benefits estimate statements
    and has included a "safeguarding" clause, which requires that the
    contractor's employees be made aware of the taxpayer information,
    its restricted access and use, and the penalty provisions for
    unauthorized access or use. The agency also uses a contractor for
    developing microfilm with taxpayer information. This contractor is
    authorized access, but the contract does not contain
    "safeguarding" language relating to taxpayer information. It does
    have confidential clauses relating to the Privacy Act provisions.
    The agency has also contracted out for the disposal of the paper
    Form W- 2s and W-3s received. An earlier contract allowed for the
    contractor to shred the material to 2-inch strips or less, which
    does not meet the IRS Page 47                         GAO-GGD-99-
    164 Safeguarding Taxpayer Information Appendix VII Examples of
    Deficiencies Found During IRS' Reviews of Agencies' Safeguarding
    Procedures required standard of 5/16-inch or less for shredding.
    The current contract states that all material will be totally
    destroyed beyond legibility or reconstruction through shredding,
    maceration, or pulping. However, a visit to the contractor's site
    revealed that the contractor is shredding material, but not always
    to the original 2-inch requirement. The required "safeguarding"
    clauses are not in the contract, and the employer is not advising
    his employees of the confidentiality and penalties associated with
    accessing taxpayer information. Many other storage, retrieval, and
    disposal activities are contracted out by the agency. Two units of
    the agency use contractors to conduct most of the activities at
    their facilities, where beneficiary files (with taxpayer
    information) are stored in open boxes. This is also true of the
    records center that the agency contracts with to store, dispose
    of, and retrieve millions of beneficiary files. Other units of the
    agency are also contracting out for disposition of information.
    IRC section 6103 does not authorize these contractors to have
    access to taxpayer information, which they do. Recommendation
    In order to comply with IRC section 6103 and with IRS standards,
    the agency needs to review its use of contractors. When
    contractors are authorized to have access to taxpayer information,
    the agency needs to ensure that "safeguarding" clauses are
    included in the contracts. When contractors are not authorized
    access to this information, the agency needs to ensure that it is
    not permitting such access. Specific examples include *  adding
    the safeguarding clauses to the microfilm development contract; *
    adding the safeguarding clauses to the contract for the disposal
    of paper return information, mainly W-2s and W-3s; *  ensuring
    that disposal methods meet IRS standards; *  developing policies
    and procedures to ensure that contractors who are not authorized
    to have access do not have access; and *  making units and field
    offices aware of "unauthorized access" by contractors. Agency
    Response      The agency agreed that safeguarding clauses need to
    be included in contracts when contractors are authorized to have
    access to taxpayer information and that contractors should not
    have access unless authorized. IRS Comment          IRS was still
    being reviewing this agency's safeguard report and had not
    finalized its comments at the time we prepared our report. Page 48
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
    Examples of Deficiencies Found During IRS' Reviews of Agencies'
    Safeguarding Procedures Case Two Finding              The
    recordkeeping system at the agency's field offices does not meet
    all of the statutory requirements for tax information
    accountability. Discussion           When federal tax returns or
    return information are received, agencies are required to maintain
    a record of *  taxpayer name, *  tax year(s), *  type of
    information, *  reason for request, *  date requested, *  date
    received, *  exact location of data, and *  who has had access to
    the data. Further, if and when the data are disposed of, agencies
    are required to maintain a record of the date and method of
    disposition. Agency field offices maintain a system of records for
    tracking documents and evidence obtained during a criminal
    investigation. Returns and return information are generally placed
    in an evidence envelope and associated with the case files, which
    are kept in the office's filing area. The envelope is annotated as
    to contents and any additional descriptive information the case
    agent may write down. The agency's system of standardized records
    contained many of the required items listed above, but not all of
    them. Further, tax documents controlled by the agency's seizure
    team unit may not necessarily show who has had access to the
    information. Recommendation       Since information used to track
    returns and return information is dependent upon information
    furnished by the case agent, the agency should ensure that the
    agents are aware of the elements required to meet the statutory
    requirements for tracking federal tax data. Also, the seizure team
    unit may wish to consider using some type of "charge-out" form to
    record accesses to tax information. Agency Response      The
    agency uses a central recordkeeping system for maintaining all
    investigative files. The system is outlined in the Federal
    Register. During IRS' review, access to information by the IRS
    team was limited to the federal tax return and return information
    contained in the evidence envelope, and not to the entire file.
    Information regarding the taxpayer name, tax year(s), reasons for
    request, and data requested is contained in Page 49
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
    Examples of Deficiencies Found During IRS' Reviews of Agencies'
    Safeguarding Procedures the case file and supplied to IRS during
    the request for the information. The date received and type of
    information is maintained in the evidence log. Access to case
    information is restricted based on the need-to-know and to
    individuals having a file on the case. Agency procedures used for
    controlling access to federal tax return and return information
    within the seizure team unit are the same procedures used for
    investigative information. Information is restricted to
    individuals with a role in the asset forfeiture. IRS Comment
    Along with the agency's response, the appropriate Federal Register
    cite was provided. The agency's response was accepted. Case Three
    Finding            Agency employees that have access to federal
    tax data are not aware of the criminal and civil penalties that
    can be imposed for unauthorized disclosure of the data. Discussion
    IRS Publication 1075 requires that, as part of an agency's
    employee awareness program, each employee that has access to
    federal tax data should receive copies of IRC sections 7213(a) and
    7431, which describe the criminal and civil penalties applicable
    to the unauthorized disclosure of federal tax data. In addition,
    employees must be advised at least annually of these provisions.
    Personnel that IRS' review team talked with could not recall
    receiving copies of the IRC penalty provisions. Employees receive
    periodic reminders about protecting sensitive information;
    however, they are not specifically reminded of the provisions of
    IRC sections 7213(a) and 7431. Recommendation     All employees
    that are authorized to have access to federal tax data should
    receive a copy of IRC section 7213(a) and 7431, and they should be
    reminded at least annually of the criminal and civil penalties
    that can be imposed under the IRC for the unauthorized disclosure
    of federal tax data. Agency Response    Although employees were
    not specifically aware of the penalties for unauthorized
    disclosure of federal tax data as contained in the IRC, agency
    employees knew about the penalties for unauthorized disclosure of
    information contained in investigative files. IRS Comment
    The revised IRS Publication 1075 now contains penalty provisions
    in exhibits 3 and 4. Along with the agency response, IRS received
    a copy of Security Bulletin 96-03 with attachments A-2 and A-3,
    with instructions that the information in the document be reviewed
    annually by all personnel Page 50
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
    Examples of Deficiencies Found During IRS' Reviews of Agencies'
    Safeguarding Procedures who have access to tax return and return
    information provided to the agency by IRS. Observance of Security
    Bulletin 96-03 will satisfy the IRS requirement. Case Four Finding
    The last Safeguard Activity Report for this agency was dated June
    29, 1995-2 years before the review. Also, the report did not
    contain the information as required in IRS Publication 1075.
    Additionally, IRS records showed the last Safeguard Procedures
    Report was submitted in 1988. Discussion         The statute
    requires reports to be furnished to IRS describing the procedures
    established and utilized to ensure the confidentiality of tax data
    received from IRS. After the submission of the Safeguard
    Procedures Report, a written Safeguard Activity Report is to be
    submitted annually to give information regarding the agency's
    safeguard program. The Safeguard Procedures Report should be
    updated as changes occur, and a new report submitted when
    warranted. Recommendation     A Safeguard Activity Report must be
    submitted to IRS no later than January 31 each year. The report
    must contain the required information as shown in IRS Publication
    1075. Because of changes within the agency since 1988, a current
    Safeguard Procedures Report was requested. Agency Response    The
    agency responded that it would comply with all reporting
    requirements. It assigned its internal audit unit the annual
    inspection as required by IRS Publication 1075 and planned to
    submit the Safeguard Activity Report. The agency submitted an
    updated Safeguard Procedures Report. IRS Comment        IRS
    accepted the response, but explained to the agency that the
    Safeguard Procedures Report was not a "one-time" report and that
    it should be updated as changes occur and a new one submitted when
    warranted. IRS requested that a revised version be submitted
    reflecting changes made as a result of IRS' review. Case Five
    Finding            The agency's records did not list some
    employees who were receiving and using taxpayer information to
    determine Medicaid eligibility. Discussion         The Deficit
    Reduction Act of 1984 requires states to have an income and
    eligibility verification system for use in administering certain
    benefits Page 51                              GAO-GGD-99-164
    Safeguarding Taxpayer Information Appendix VII Examples of
    Deficiencies Found During IRS' Reviews of Agencies' Safeguarding
    Procedures programs. State welfare agencies are required to obtain
    and use unearned income data from IRS and other wage and income
    data from SSA in the verification process of these benefits
    programs. Accordingly, IRC section 6103 authorizes the disclosure
    of taxpayer information to federal, state, and local agencies by
    IRS or SSA for use in the administration of these benefits
    programs. As a condition of receiving taxpayer information, state
    welfare agencies are required to maintain a permanent system of
    standardized records that documents all requests for, receipt of,
    and disclosures of taxpayer information made to or by the
    agencies. During its review of this agency, IRS found that, while
    some employees acknowledged using taxpayer information, the
    agency's records did not list the employees as having received
    taxpayer information. IRS found that taxpayer information, in the
    form of a printout, was being disclosed to Medicaid technicians
    who are stationed at various state hospitals. The technicians
    receive the information to determine Medicaid eligibility for
    applicants who were hospitalized. Upon receipt from the agency's
    mailroom, the printout is accompanied by an acknowledgment form
    that employees must sign, indicating receipt of taxpayer
    information. IRS found that technicians were properly signing the
    acknowledgment form and returning it to the mailroom to indicate
    receipt of the information. However, the agency's records did not
    reflect that taxpayer information was being disclosed from the
    agency to its employees located at these various state hospitals.
    Recommendation     The state hospitals that get taxpayer
    information should be included so that the agency's records
    reflect a complete and accurate listing of all requests, receipts,
    and disclosures of taxpayer information. Agency Response    The
    Medicaid technicians are stationed at the state hospitals at
    various times. For this reason, any disclosure of taxpayer
    information to these hospitals will be managed by an agency
    coordinator. To improve recordkeeping, the coordinator will
    provide a listing of the disclosures, and this list, along with
    the agency acknowledgment forms, will be maintained in the
    standardized records. The General Services Mail and Distribution
    Manager will ensure that the records are received. IRS Comment
    Agency's response was acceptable. Page 52
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
    Examples of Deficiencies Found During IRS' Reviews of Agencies'
    Safeguarding Procedures Table VII.1 summarizes some of the other
    deficiencies found during IRS' Other Deficiencies
    on-site safeguard reviews of federal, state, and local agencies.
    Table VII.1: Examples of Agency Deficiencies Found During IRS'
    Safeguard Reviews General category                     Specific
    deficiency noted Maintaining system of standardized No system
    exists for ensuring that all keys to secure areas are accounted
    for or that access to keys records                              is
    restricted. No records exist of when taxpayer information was
    received and destroyed, or of how the information was destroyed.
    Maintaining secure storage           Taxpayer information locked
    in the supervisor's office, but not in locked containers or file
    cabinets, which would properly protect the information from
    inadvertent or unauthorized disclosure. Agency mailroom not secure
    during nonduty hours, and employees are leaving taxpayer
    information unsecured, in unlocked containers. No reconciliation
    of transmittal documents to actual receipts and shipments of
    federal return information. There was not adequate protection for
    tax information. There was no agency requirement that containers
    be locked, and some containers cannot be locked. There was not a
    specific individual responsible for physical security.
    Restricting/limiting access          Ground floor entrances were
    not locked during office hours, and there was a need for "Employee
    Only" signs. IRS tapes and income and eligibility verification
    system documents were transported via unsecured courier service.
    Tax information was combined with nontax information and
    accessible by other employees not directly involved in program.
    Several federal tax documents were found that were not labeled as
    such. Agency was sharing taxpayer information with other state
    agencies and contractors that are not authorized to receive
    information. Disposal of taxpayer information     Agency was using
    an unauthorized method of destroying taxpayer information.
    Existing procedures for repairs to equipment do not appear to
    address removal of federal return information before repairs are
    made. Agency was not utilizing proper destruction procedures for
    taxpayer information that is no longer being used. Computer
    security                    Computer systems containing tax
    information do not display warning banners reminding employees of
    safeguarding requirements and associated penalties. Agency was not
    promptly removing from the system employees that no longer needed
    access to taxpayer information. Taxpayer data was not transmitted
    through secure communication lines to prevent unauthorized use or
    access. Unsecured dial-in modems were being used for taxpayer
    information on agency systems, and information on the mainframe
    was not adequately restricted. Other safeguards
    Employees were not properly trained on all aspects of safeguarding
    tax information. Some were not aware of the civil and criminal
    penalties associated with unauthorized disclosure or of the
    Taxpayer Browsing Act. Internal security inspections were not
    conducted, or the results were not documented. There was no
    documentation of corrective actions, if any were taken. The agency
    needs to post signs and send memos to remind employees of their
    responsibility to safeguard federal tax information. Source: IRS
    Office of Safeguards. Page 53                                 GAO-
    GGD-99-164 Safeguarding Taxpayer Information Appendix VIII
    Staffing Levels for IRS' Office of Safeguards Listed below are the
    staffing levels, as of June 1999, for IRS' national and district
    offices that are responsible for IRS' safeguarding program. In
    addition to overseeing the safeguarding program, the district
    offices have responsibilities for a variety of other disclosure
    activities.  These activities include, among other things,
    conducting disclosure awareness seminars for state and local
    agency personnel, processing Freedom of Information Act and
    Privacy Act requests, processing ex parte orders for grand jury or
    federal criminal investigations, testifying in federal court to
    certify that certain documents are true copies of tax return
    information, and reviewing subpoenas served to IRS personnel to
    advise them of what they can and cannot disclose in court. Number
    of staff Office
    Professional Support        Total National Office of Safeguards
    12                  12 I      Midstates Region
    3                  3 1      Arkansas-Oklahoma District
    415 2      Houston Districta
    5                  5 3      Illinois District
    92 11 4      Kansas-Missouri District
    718 5      Midwest District
    11          2       13 6      North Central District
    8                  8 7      North Texas Districta
    617 8      South Texas District
    516 Regional subtotal                                         58
    8       66 II     Northeast Region
    3                  3 9      Brooklyn Districta
    4                  4 10     Connecticut-Rhode Island District
    4                  4 11     Manhattan District
    314 12     Michigan District
    5                  5 13     New England District
    9                  9 14     New Jersey District
    415 15     Ohio District
    5                  5 16     Pennsylvania District
    617 17     Upstate New York District
    415 Regional subtotal                                         47
    4       51 III    Southeast Region
    4                  4 18     Delaware-Maryland District
    718 19     Georgia District
    516 20     Gulf Coast District
    819 21     Indiana District
    4                  4 22     Kentucky-Tennessee District
    617 23     North Florida District
    5                  5 24     North-South Carolina District
    516 25     South Florida Districta
    415 26     Virginia-West Virginia District
    5                  5 Regional subtotal
    53          6       59 (Continued) Page 54
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VIII
    Staffing Levels for IRS' Office of Safeguards Number of staff
    Office                                              Professional
    Support        Total IV    Western Region
    3                  3 27    Central California District
    617 28    Los Angeles District
    617 29    Northern California District
    11          2       13 30    Pacific-Northwest District
    10          1       11 31    Rocky Mountain District
    91 10 32    Southern California District
    8                  8 33    Southwest District
    7                  7 Regional subtotal
    60          6       66 Total
    230         24      254 aNot responsible for any safeguard review
    activities. Source: IRS' Office of Safeguards. Page 55
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IX
    Questionnaires Used to Survey Federal, State, and Local Agencies
    Receiving Taxpayer Information Figure IX.1: Survey of Federal
    Agencies Receiving Taxpayer Data Page 56                  GAO-GGD-
    99-164 Safeguarding Taxpayer Information Appendix IX
    Questionnaires Used to Survey Federal, State, and Local Agencies
    Receiving Taxpayer Information Page 57
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IX
    Questionnaires Used to Survey Federal, State, and Local Agencies
    Receiving Taxpayer Information Figure IX.2: Survey of State and
    Local Agencies Receiving Taxpayer Data Page 58
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IX
    Questionnaires Used to Survey Federal, State, and Local Agencies
    Receiving Taxpayer Information Page 59
    GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix X
    Comments From the Internal Revenue Service Page 60    GAO-GGD-99-
    164 Safeguarding Taxpayer Information Appendix XI GAO Contacts and
    Staff Acknowledgments Cornelia Ashby, (202) 512-9110 GAO Contacts
    Joseph Jozefczyk, (202) 512-9110 In addition to those named above,
    Michelle Bowsky, John Gates, Tim Acknowledgments    Outlaw, Anne
    Rhodes-Kline, Kirsten Thomas, and Carrie Watkins made key
    contributions to this report. Page 61
    GAO-GGD-99-164 Safeguarding Taxpayer Information Page 62    GAO-
    GGD-99-164 Safeguarding Taxpayer Information Page 63    GAO-GGD-
    99-164 Safeguarding Taxpayer Information Page 64    GAO-GGD-99-164
    Safeguarding Taxpayer Information Ordering Information The first
    copy of each GAO report and testimony is free. Additional copies
    are $2 each. Orders should be sent to the following address,
    accompanied by a check or money order made out to the
    Superintendent of Documents, when necessary. VISA and MasterCard
    credit cards are accepted, also. Orders for 100 or more copies to
    be mailed to a single address are discounted 25 percent. Order by
    mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC
    20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts.
    NW) U.S. General Accounting Office Washington, DC Orders may also
    be placed by calling (202) 512-6000 or by using fax number (202)
    512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of
    newly available reports and testimony. To receive facsimile copies
    of the daily list or any list from the past 30 days, please call
    (202) 512-6000 using a touch-tone phone. A recorded menu will
    provide information on how to obtain these lists. For information
    on how to access GAO reports on the INTERNET, send e-mail message
    with "info" in the body to: [email protected] or visit GAO's World
    Wide Web Home Page at: http://www.gao.gov United States General
    Accounting Office           Bulk Rate Washington, D.C. 20548-0001
    Postage & Fees Paid GAO Permit No. G100 Official Business Penalty
    for Private Use $300 Address Correction Requested (268874)

*** End of document. ***