Taxpayer Confidentiality: Federal, State, and Local Agencies Receiving
Taxpayer Information (Letter Report, 08/30/1999, GAO/GGD-99-164).
Federal, state, and local agencies are authorized to receive from the
Internal Revenue Service (IRS) information on taxpayers that they need
to assist in their administration and enforcement of laws. These
agencies are required to protect the confidentiality of the information
they receive and to implement safeguards to prevent unauthorized access,
disclosure, and use. This report discusses (1) which federal, state, and
local agencies receive taxpayer information from IRS; (2) the type of
information they receive; (3) how that information is being used; (4)
what policies and procedures the agencies are required to follow to
safeguard that information; (5) how often IRS is to monitor agencies'
adherence to the safeguarding requirements; and (6) the results of IRS'
most recent monitoring efforts.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: GGD-99-164
TITLE: Taxpayer Confidentiality: Federal, State, and Local
Agencies Receiving Taxpayer Information
DATE: 08/30/1999
SUBJECT: Confidential communication
Internal controls
Information leaking
Tax information confidentiality
Interagency relations
Reporting requirements
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. This text was extracted from a PDF file. **
** Delineations within the text indicating chapter titles, **
** headings, and bullets have not been preserved, and in some **
** cases heading text has been incorrectly merged into **
** body text in the adjacent column. Graphic images have **
** not been reproduced, but figure captions are included. **
** Tables are included, but column deliniations have not been **
** preserved. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
United States General Accounting Office GAO Report
to the Joint Committee on Taxation, U.S. Congress August 1999
TAXPAYER CONFIDENTIALITY Federal, State, and Local Agencies
Receiving Taxpayer Information GAO-GGD-99-164 United States
General Accounting Office Washington, D.C. 20548
General Government Division B-282749 August 30, 1999 The Honorable
Bill Archer Chairman The Honorable William V. Roth, Jr. Vice
Chairman Joint Committee on Taxation The concerns of citizens and
Congress regarding individual rights to privacy have made it
important to assess the disclosure practices and safeguards
employed by the Internal Revenue Service (IRS) and other federal,
state, and local agencies to protect taxpayer information.
Federal, state, and local agencies are authorized under Internal
Revenue Code (IRC) section 6103 to receive from IRS the taxpayer
information they need to assist in their administration and
enforcement of laws. These agencies are required to protect the
confidentiality of the information they receive and implement
safeguards that are designed to prevent unauthorized access,
disclosure, and use. Section 3802 of the IRS Restructuring and
Reform Act of 1998 requires that both the Joint Committee on
Taxation and the Secretary of the Treasury conduct a study of the
scope and use of section 6103 provisions regarding taxpayer
confidentiality. To assist in this effort, you requested that we
provide you with information about * which federal, state, and
local agencies receive taxpayer information from IRS (see apps. I
and II); * what type of information they receive (see apps. III
and IV); * how the taxpayer information is being used (see app.
V); * what policies and procedures the agencies are required to
follow to safeguard taxpayer information (see app. VI); * how
frequently IRS is to monitor agencies' adherence to the
safeguarding requirements; and * the results of IRS' most recent
monitoring efforts (see app. VII). According to IRS, there were 37
federal and 215 state and local agencies Results in Brief
that received, or maintained records containing, taxpayer
information under provisions of section 6103 during 1997 or 1998.
The information that the agencies received included, among other
things, the taxpayers' names, Social Security numbers, addresses,
and wages. The information came in a variety of formats (i.e.,
paper copy, electronic databases, and tape Page 1
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749
extracts). Some agencies received the information on a regular
schedule (i.e., monthly, quarterly, or annually). Others received
the information on an as-needed basis, such as while conducting
criminal investigations. Federal, state, and local agencies said
they used taxpayer information for one of several purposes, such
as administering state tax programs, assisting in the enforcement
of child support programs, verifying eligibility and benefits for
welfare and public assistance programs, and conducting criminal
investigations. Before receiving taxpayer information from IRS,
agencies are required to advise IRS how they intend to use the
information and to provide IRS with a detailed safeguard plan that
describes the procedures established and used by the agency for
ensuring the confidentiality of the information they want to
receive. These safeguard plans are supposed to be updated every 6
years or if significant changes are made to the agencies'
procedures. IRS Publication 1075, Tax Information Security
Guidelines for Federal, State, and Local Agencies,1 outlines what
must be included in an agency's safeguard plan. Agencies are also
required to submit annual reports to IRS summarizing their efforts
to safeguard taxpayer information and any minor changes to their
safeguarding procedures. In addition to providing IRS with
safeguard plans and annual reports, agencies' Offices of Inspector
General (OIG) may also review internal agency programs for
safeguarding restricted or classified information. For example, in
March 1999, the Department of Veterans Affairs' (VA) OIG issued a
report on its review of the Evaluation of VHA's Income
Verification Match Program (Report No. 9R1-G01-054, Mar. 15,
1999).This report outlined possible inappropriate requests for and
subsequent use of taxpayer information by VA's Health Eligibility
Center. IRS conducts on-site reviews to ensure that agencies'
safeguard procedures fulfill IRS requirements for protecting
taxpayer information. IRS' National Office of Governmental Liaison
and Disclosure, Office of Safeguards, has overall responsibility
for safeguard reviews to assess whether taxpayer information is
properly protected from unauthorized use or access as required by
the IRC and to assist in reporting to Congress. Safeguard reviews
are to be conducted every 3 years. IRS' safeguard reviews have
identified discrepancies in agency safeguard procedures and made
recommendations for corrections. The reviews have 1Publication
1075 has been revised periodically, most recently in March 1999.
Page 2
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749
uncovered problems with agency safeguarding procedures, ranging
from inappropriate access to taxpayer information by contractor
staff to administrative matters, such as the failure to properly
document the disposal of information. IRS began exchanging federal
taxpayer data with state tax administration Background
agencies in the 1920s, but it was not until the Tax Reform Act of
1976 that Congress declared federal tax returns and return
information to be confidential. The Tax Reform Act specified IRS'
responsibilities for safeguarding taxpayer information against
unauthorized disclosure while authorizing IRS to share this
information with state agencies for tax administration purposes.
Congress also authorized the sharing of taxpayer information with
child support programs to assist with enforcement, such as
locating individuals owing child support. In 1984, Congress
authorized IRS to share data to support federal and state
administration of other programs, such as Aid to Families With
Dependent Children2 and Medicaid, to assist in verifying
eligibility and benefits. Disclosures of federal taxpayer
information to an agency are restricted to the agency's justified
need for and use of such information. Unauthorized inspection,
disclosure, or use of taxpayer information is subject to civil and
criminal penalties. The objective of this study was to provide the
Committee with information Objective, Scope, and on how
federal, state, and local agencies use the taxpayer information
they Methodology are authorized to obtain under
section 6103.3 To meet our objective, we met with officials in
IRS' Office of Governmental Liaison and Disclosure, Office of
Safeguards, and select IRS District Disclosure Offices. We also
reviewed IRS documentation of reports submitted by federal, state,
and local agencies on the safeguard procedures used to protect
taxpayer information. In addition, we reviewed IRS reports of its
monitoring efforts at these agencies. IRS provided us with lists
of federal, state, and local agencies that had received taxpayer
information during 1997 or 1998. We surveyed the agencies, asking
them under what authority they received taxpayer information, how
they received it, what they used the information for, and 2The Aid
to Families With Dependent Children program has been replaced by
the Temporary Assistance for Needy Families program. 3Our study
did not address disclosure of taxpayer information to agencies
pursuant to taxpayer consents under section 6103(c), which are not
subject to the safeguard requirements of section 6103(p)(4). Page
3 GAO-
GGD-99-164 Safeguarding Taxpayer Information B-282749 whether
there were alternate sources of data they could use in lieu of
taxpayer information. We also asked them about IRS' monitoring
efforts and to identify any safeguard deficiencies that have been
noted during recent internal or external reviews. Copies of our
questionnaires are reproduced in appendix IX. We surveyed all of
the federal agencies in the Washington, D.C., metropolitan area
that IRS identified as having received taxpayer information. The
response rate was 100 percent from these agencies. In some cases,
we sent a questionnaire to more than one contact for a particular
agency. For example, for the Department of Labor, IRS identified
four separate components as receiving taxpayer information. Thus,
IRS gave us the names of four separate contact persons at Labor.
We mailed our questionnaire to 50 agency contact persons. In our
cover letter, we encouraged them to distribute copies of the
questionnaire to all other entities within the agency that
received taxpayer information from IRS and asked that an
appropriate representative from those units return a completed
questionnaire. Several agencies that had only one contact person
listed by IRS returned multiple questionnaires from different
units within their agencies that use taxpayer information. For
example, the Department of Transportation had only one contact
person to whom we mailed our questionnaire, but staff in the
Department completed and returned 10 questionnaires. In total, we
received 98 questionnaires from the 50 agency contacts from whom
we requested information. From the list IRS provided of 215 state
and local entities that had received taxpayer information, we drew
a simple random probability sample of 35 entities. Each entity on
the IRS list had an equal, nonzero probability of being included
in the sample. Our sample, then, is only one of a large number of
samples that we might have drawn because we followed a probability
procedure based on random selection. Each sample could have
provided different estimates; thus, we can express our confidence
in the precision of our particular sample's results as a 95-
percent confidence interval. This is the interval that would
contain the actual population value for 95 percent of the samples
we could have drawn. As a result, we are 95- percent confident
that each of the confidence intervals in this report will include
the true values in the study population. We mailed questionnaires
to the contact persons at each of the selected entities. Like the
federal agencies, some of the state and local agencies completed
more than one questionnaire. Thirty-four of the 35 state and Page
4 GAO-GGD-99-164 Safeguarding Taxpayer
Information B-282749 local agencies we surveyed returned at least
one questionnaire, for a response rate of 97 percent.4 Given the
broad scope of our study and the required time frame for
completion, our audit work focused on collecting and presenting
the data from the agencies and IRS. As agreed with your office, we
did not verify the information that we collected. We also did not
evaluate the efforts of IRS or the federal, state, and local
agencies to safeguard taxpayer information. We performed our work
at IRS' National Office of Safeguards and select IRS District
Disclosure Offices. Our work was done between March and August
1999 in accordance with generally accepted government auditing
standards. We requested comments on a draft of this report from
the Commissioner of Internal Revenue. IRS provided written
comments in an August 16, 1999, letter, which is reprinted in
appendix X. The comments are discussed near the end of this
letter. According to IRS, there were 37 federal and 215 state and
local agencies Which Federal, State, that received, or
maintained records containing, taxpayer information and Local
Agencies under provisions of IRC section 6103 during 1997 or
1998. We surveyed all of the 34 federal agencies in the
Washington, D.C., metropolitan area that Receive Taxpayer
IRS identified as having received taxpayer information. In
responding to Information? our questionnaire, 3 of the
34 federal agencies-Agency for International Development,
Department of Energy, and Environmental Protection Agency-
indicated that they did not receive any taxpayer information
during 1997 or 1998. In addition, two agencies-Equal Employment
Opportunity Commission and Securities and Exchange Commission-
indicated that they did not receive any taxpayer information
during 1998. Among these 34 federal agencies, however, there were
several that had more than one department or unit that utilized
the taxpayer information received. From the list IRS provided of
215 state and local entities that were receiving taxpayer
information, we drew a simple random probability sample of 35
entities. Only one of our sampled state and local entities-
Alabama Department of Human Resources-indicated that it did not
4The one outstanding agency, Maryland Department of Human
Resources, Child Enforcement Agency, returned a questionnaire as
we were processing this report. Because of the timing of when the
questionnaire was returned, we were unable to include this
response in our summary of information of state and local
agencies. Page 5
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 receive
any taxpayer information in 1997, and all of them indicated that
they had received taxpayer information in 1998.5 According to IRS
officials, they generally categorize the agencies into one of the
following: * Child support agenciesIRS discloses certain tax
return information to federal, state, and local child support
enforcement agencies. * Welfare/public assistance agenciesIRS
discloses certain tax return information to federal, state, and
local agencies administering welfare/public assistance programs,
such as food stamps and housing. * State tax administration/law
enforcement agenciesIRS discloses certain tax return information
to federal, state, and local agencies for tax administration and
the enforcement of state tax laws. * Federal agenciesIRS
discloses certain tax return information to federal agencies for
certain other purposes. The type of taxpayer information agencies
receive varies in content, What Type of Taxpayer format, and
frequency according to how agencies use the information.
Information Do Agencies may receive paper copies
of individual tax returns, electronic databases of IRS' individual
and business master files, or tape extracts Agencies Receive?
from these files. The information can include such things as the
taxpayers' names, Social Security numbers, addresses, or wages.
Table 1 shows examples of the different types of taxpayer
information agencies receive. As shown in table 1, agencies
receive taxpayer information in a variety of formats-for example,
paper copy, electronic databases, and tape extracts. Some agencies
receive this information on a regular schedule-for example,
monthly, quarterly, or annually. Other agencies receive it on an
as-needed basis-for example, while conducting criminal
investigations. 5On the basis of the questionnaire responses, we
estimate that between 0 and 9 percent of all state and local
entities on IRS' list did not receive taxpayer information in
1998, and between 0 and 14 percent did not receive taxpayer
information in 1997. Page 6
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 Table 1:
Examples of Types of Taxpayer Taxpayer information
Format Frequency Information Received by Federal, State,
Individual and corporate income tax, estate tax, partnership,
Paper copy Upon request and Local Agencies
fiduciary, excise tax, and exempt organization audit reports Payer
and payee information from W-2s, K-1s, Form 1099s,
Paper copy Upon request and Form 5498 Taxpayers' mailing addresses
Paper copy Upon request Information returns master file (SSN,
name, address) Tape Annual Individual
master file extract (SSN, name, address, marital Tape
Annual status, exemptions, dependents, income, and return type)
Corporate income tax return information (name, address, EIN, Tape
Annual net income or loss, assets, and gross receipts) Employment
tax returns records (EIN, total compensation paid, Tape
Weekly taxable period, number of employees, total taxable wages
paid, and tip income) Statistics of income corporate sample
(credits, balance sheet, Tape Annual and income
statement) W-2s and W-3s (wage data submitted by employers)
Electronic, Upon request paper copy Unearned income from various
Form 1099s Tape Monthly
Wages, self-employment earnings, and retirement income
Tape, Annual, electronic monthly SSN, filing and marital
status, taxpayer name, address, Tape, Upon
request employee EINs
electronic Legend EIN Employee identification number Form 1099s
Interest, dividend, and miscellaneous income statements Form 5498
Individual Retirement Arrangement Information K-1s Beneficiary's,
partnership's, and shareholder's share of income, deductions,
credits, etc. SSN Social Security number W-2s and W-3s Wage and
tax statements Source: IRS Office of Safeguards. We asked the
agencies we surveyed to indicate how they received taxpayer
information from IRS during 1997 or 1998 and how often they
received that information. Tables 2 and 3 show the survey results.
Page 7 GAO-GGD-99-164
Safeguarding Taxpayer Information B-282749 Table 2: Formats in
Which Agencies
Agencies Received Taxpayer Information From Format
Federal State and localb IRS in 1997 or 1998
Paper copy
56% 44% Electronic databases
50 15 Tape extracts
44 88 Othera
28 18 Note: Percentages may add to more
than 100 percent because agencies can receive the information in
different formats for different purposes. aSome agencies indicated
that they received the information on a diskette or via direct-
connect. bThe percentages shown reflect the raw percentages
obtained in the sample. The population percentages associated with
the 95-percent confidence interval are: paper (30%-59%), database
(6%-28%), tape extracts (75%-96%), other (8%-32%). Source: GAO
analysis of responses from agencies surveyed. Table 3: Frequencies
With Which
Agencies Agencies Received Taxpayer Frequency
Federal State and localb Information From IRS in 1997 or 1998
Yearly
34% 18% Quarterly
19 15 Monthly
19 53 Weekly
47 18 Othera
47 29 Note: Percentages may add to more
than 100 percent because agencies can receive the information at
different intervals for different purposes. aSome agencies
indicated that they received the information upon request or on an
as-needed basis. bThe percentages shown reflect the raw
percentages obtained in the sample. The population percentages
associated with the 95-percent confidence interval are: yearly
(8%-32%), quarterly (6%- 28%), monthly (39%-67%), weekly (8%-32%),
other (17%-44%). Source: GAO analysis of responses from agencies
surveyed. Appendixes III and IV further describe the types of
taxpayer information received by federal and state and local
agencies, respectively; the format in which the information was
received; and the frequency with which it was received,
categorized by purposes for which the information might be used.
In addition to the taxpayer information received from IRS, many
agencies use other sources of information to fulfill their
missions. We asked the agencies to indicate, in lieu of taxpayer
information, what other sources of data are available that would
allow them to accomplish their missions. As shown in table 4, the
responses from the federal, state, and local agencies we surveyed
generally fell into one of following categories: * There was no
other source of data available to them. * They used other
sources, but these other sources were less reliable than tax
information. Page 8
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 * They
used other sources, but these other sources were more costly to
use than tax information. * They used other sources in
conjunction with the tax information. * They did not respond to
this question. Table 4: Other Sources of Data
Agencies Agencies Used in Lieu of Taxpayer Other sources
Federal State and locala Information
No other sources available
47% 71% Other sources less
reliable
28 3 Other sources more costly
16 0 Used other sources as well
as tax data
34 44 Did not respond
19 3 Note: Percentages may add
to more than 100 because more than one response was possible for
an agency due to multiple responses from different components
within an agency. aThe percentages shown reflect the raw
percentages obtained in the sample. The population percentages
associated with the 95-percent confidence interval are: no other
sources available (56%- 83%), other sources less reliable (0%-
14%), other sources more costly (0%-9%), and used other sources as
well as tax data (30%-59%). Source: GAO analysis of responses from
agencies surveyed. Under various IRC section 6103 subsections,
agencies may receive How Is the Taxpayer
taxpayer information for one of several reasons, such as to
administer Information Being state tax
programs, assist in the enforcement of child support programs, or
verify eligibility and benefits for various welfare and public
assistance Used? programs (e.g.,
food stamps or public housing).6 Agencies may also receive
taxpayer data for use during a criminal investigation, to apprise
appropriate officials of criminal activities or emergency
circumstances, or to assist in locating fugitives from justice.
One of the most common reasons why agencies said they received
taxpayer information was their participation in the tax refund
offset program. Pursuant to the IRC, agencies submitted
qualifying debts, such as student loans or child support payments,
for collection by offsetting the debt against the taxpayer's
refund. Seventy-five percent of the federal agencies and 15
percent of the state and local agencies in our sample indicated
that they received taxpayer information for this purpose.
Effective January 1, 1999, tax refund offset procedures for
collecting qualifying debts were modified. The Department of the
Treasury's Financial Management Service was given the
responsibility for the Federal Refund Offset Program, which was
merged into the centralized administrative offset program known as
the Treasury Offset Program. This 6See appendix II for a
description of the various IRC 6103 subsections. Page 9
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 program
commingles tax refund information with other federal financial
information (e.g., benefit payments, pensions). If a match is
found when an individual has an outstanding debt and is receiving
federal money in any form (e.g., tax refund, pension, or vendor
payments), the individual is notified that his federal money can
be withheld to pay off the debt. The source or sources of any
money withheld is not revealed to the agencies, but simply the
fact that an offset has been made. This information, then, is no
longer identifiable as tax refund information; thus, it is no
longer considered taxpayer information.7 Because of this change to
the offset program, several agencies we surveyed indicated that
they no longer needed taxpayer information. Thirty-four percent of
the federal and 3 percent of the state and local agencies in our
sample indicated that they are participating in the Treasury
Offset Program and that they will no longer need to receive
taxpayer information from IRS. We asked the agencies we surveyed
to indicate how they use taxpayer information. We grouped their
responses into the following categories: * administering debt
collection or offset program; * administering tax laws; *
determining eligibility for welfare and public assistance
programs; * enforcing child support programs; * conducting
criminal investigations; and * other purposes, such as
statistical and economic research, auditing government programs,
or storage of tax returns. Table 5 shows how the agencies we
surveyed responded to our query about how they used the taxpayer
information they received in 1997 or 1998. (App. V provides a
listing of possible uses of taxpayer information received from
IRS.) 7To the extent that agencies collect past-due child support
payments from tax refund offsets under the Treasury Offset
Program, such agencies continue to receive specified taxpayer
information as authorized by IRC section 6103 (l)(10). Page 10
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 Table 5:
How Taxpayer Information Was
Agencies Used by Federal, State, and Local Category
Federal State and locala Agencies in 1997 or 1998
Debt collection/offset program
75% 15% Administering tax laws
0 41 Determining eligibility for
welfare/public assistance programs
16 32 Enforcement of child
support programs
6 29 During criminal investigations
28 3 Other purposes
28 0 Note: Percentages may add
to more than 100 percent because agencies can use taxpayer
information for multiple purposes. aThe percentages shown reflect
the raw percentages obtained in the sample. The population
percentages associated with the 95-percent confidence interval
are: Treasury offsets (6%-28%), administration of tax laws (28%-
56%), welfare/public assistance programs (20%-47%), child support
enforcement (17%-44%), investigations (0%-14%), and other (0%-9%).
Source: GAO analysis of responses from agencies surveyed. Before
receiving taxpayer information from IRS, agencies are required to
What Policies and provide IRS with a
detailed Safeguard Procedures Report (SPR) that Procedures Are
describes the procedures established and used by the agency for
ensuring the confidentiality of the information received. The SPR
is a record of how Agencies Required to the
agency processes the federal taxpayer information and protects it
from Follow to Safeguard unauthorized
disclosure. Taxpayer Information? IRS Publication 1075 outlines
what must be included in an agency's SPR.8 In addition to
requiring that it be submitted on agency letterhead and signed by
the head of the agency or the head's delegate, an agency's SPR
must contain information about * responsible officer(s), *
location of the data, * flow of the data, * system of records, *
secure storage of the data, * access to the data, * disposal of
the data, * computer security, and * agency's disclosure
awareness program. All federal agencies and the state welfare
agencies are to submit their SPRs to IRS' Office of Safeguards,
which is to review the reports for completeness and acceptance.
State taxing agencies and child support 8See appendix VI for a
summary of the requirements included in IRS Publication 1075. Page
11 GAO-
GGD-99-164 Safeguarding Taxpayer Information B-282749 enforcement
agencies are to submit their SPRs to the IRS District Disclosure
Office in their respective states. Agencies are expected to submit
a new SPR every 6 years or whenever significant changes occur to
their safeguard program. IRS has taken steps to withhold taxpayer
information from agencies if their SPRs did not fulfill the
requirements set forth in IRC section 6103. Shown below are some
recent examples of IRS notifying agencies that they would not be
able to get taxpayer information because their SPRs were
incomplete. * In April 1999, IRS' Office of Safeguards notified
the Arizona Department of Economic Security that, since IRS had
not received an acceptable SPR, it was recommending to IRS' Office
of FedState Relations that federal taxpayer information be
withheld until the agency complied with the safeguarding
requirements outlined in IRC section 6103. IRS' Office of
Safeguards further advised that it would recommend to the Social
Security Administration that tax information contained in the
Beneficiary Earnings Exchange Record should not be forwarded to
the department. * In May 1999, IRS' Office of Safeguards notified
the West Virginia Department of Health and Human Resources that
additional information that IRS had requested in an earlier letter
had not been provided and that it could not accept the procedures
described in the department's draft SPR as adequately protecting
federal taxpayer information from unauthorized disclosure. * In
June 1999, IRS' Office of Safeguards notified the Federal Bureau
of Investigation that IRS was unable to accept the Bureau's SPR as
describing adequate safeguard procedures to protect federal
taxpayer information from unauthorized disclosure. Agencies are
also required to file a Safeguard Activity Report (SAR) annually
with IRS to advise it of any minor changes to the procedures or
safeguards described in their SPR. The SAR is also to advise IRS
of future actions that would affect the agency's safeguard
procedures-for example, new computer equipment, facilities, or
systems or the use of contractors, as permitted by law, to do
programming, processing, or administrative services. Moreover, the
SAR is to summarize the agency's current efforts to ensure
confidentiality and certify that the agency is protecting taxpayer
information pursuant to IRC section 6103(p)(4) and the agency's
own security requirements. In addition to the SPRs and annual SARs
that are sent to IRS, agencies' OIGs may also review agency
programs for safeguarding taxpayer Page 12
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749
information. For example, a March 1999 Department of Veterans
Affairs (VA) OIG report outlined possible inappropriate requests
for and subsequent use of taxpayer information by VA's Health
Eligibility Center because of erroneous information supplied to
them by some VA medical facilities.9 The OIG found that a large
percentage of sampled cases did not have certain required
documentation on file and, consequently, should not have been
referred for income matching and verification. Before we notified
IRS about the VA OIG report, neither Treasury nor IRS was aware of
the report or its findings. After meeting with IRS to discuss the
OIG findings, VA agreed to work with IRS on corrective actions.
According to IRS, federal agency OIGs are not required to notify
IRS of their findings involving tax returns and return
information. In July 1999, IRS issued a memorandum to federal
agency OIGs asking for their assistance in working with IRS in
this area. IRS is supposed to conduct on-site reviews every 3
years to ensure that How Frequently Is IRS agencies' safeguard
procedures fulfill IRS requirements for protecting to Monitor
Agencies' taxpayer information. IRS' National Office of
Governmental Liaison and Disclosure, Office of Safeguards, has
overall responsibility for safeguard Adherence to the
reviews to assess whether taxpayer information is properly
protected from Safeguarding unauthorized
inspection, disclosure, or use as required by the IRC and to
Requirements? assist in reporting to Congress.
The Office of Safeguards conducts the on- site reviews for all the
federal agencies and state welfare agencies that receive taxpayer
information. IRS' District Offices of Disclosure and FedState
Relations are responsible for conducting the on-site safeguard
reviews at all other state and local agencies that receive
taxpayer information. There are 33 district offices, 29 of which
have responsibilities for overseeing the safeguard reviews at
state and local agencies. As of June 1999, there were 230
professional and 24 support staff assigned to the national and
district disclosure offices. (App. VIII shows the staffing levels
of these offices.) In addition to overseeing the safeguarding
program, the district offices have responsibility for a variety of
other disclosure activities, such as responding to requests under
the Freedom of Information Act or Privacy Act. According to IRS,
staff from the responsible IRS office visit the agency to review
the procedures established and used by the agency to protect
taxpayer information from unauthorized disclosure. In addition,
they assess the agency's need for, and use of, this information.
IRS staff are to meet with agency personnel, review agency
records, and visit agency 9Report No. 9R1-G01-054, Mar. 15, 1999.
Page 13
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749
facilities where taxpayer information is kept. They then prepare a
report detailing their assessment of the agency's processes and
ability to fulfill the requirements of IRC section 6103(p)(4). In
addition to conducting the triennial safeguard reviews, IRS
District Disclosure Office staff are to conduct annual "need and
use" reviews at all state and local agencies involved in tax
administration. These reviews are done to validate the agencies'
continued need for and use of the tax information they receive
from IRS. IRS' safeguard reviews over the last 5 years have
identified discrepancies What Are the Results in agency
safeguard procedures and made recommendations for of IRS'
Monitoring corrections. The reviews have uncovered
deficiencies with agency safeguarding procedures, ranging from
inappropriate access of taxpayer Efforts?
information by contractor staff to administrative matters, such as
the failure to properly document the disposal of information.
Discrepancies found by IRS during the safeguard reviews generally
were procedural deficiencies and did not result in known
unauthorized disclosures of taxpayer information. In their
responses to the discrepancies found and recommendations made by
IRS, agencies indicated that they would institute corrective
actions. (App. VII provides examples of the discrepancies found by
IRS during its safeguard reviews.) As noted above, one of the
discrepancies that IRS found during safeguard reviews was that
some agencies that received taxpayer information were using
contractor personnel in a manner that might allow them access to
taxpayer information. In its Report on Procedures and Safeguards
Established and Utilized by Agencies for the Period January 1
through December 31, 1998, IRS highlighted this problem to
Congress. IRS found agencies using contractor personnel in setting
up agency computer systems in a manner that permitted the
contractors to see taxpayer information. IRS also found agencies
using contractor personnel in the disposal of taxpayer
information, without having agency personnel observe the process
to ensure that contractor personnel did not "access" the
information. One of the major changes to IRS Publication 1075 in
March 1999 was the inclusion of a section devoted to the
appropriateness of, and precautions with, using contractor
personnel to assist an agency in fulfilling the part of its
mission that requires the use of taxpayer information. Some types
of administrative discrepancies found by IRS staff during
safeguard reviews included, among other things, that Page 14
GAO-GGD-99-164 Safeguarding Taxpayer Information B-282749 *
agencies were not properly documenting what information had been
destroyed; * agency recordkeeping systems at field offices did
not always meet the statutory requirements for accountability; *
agencies were not properly tracking the shipment of paper
documents containing federal taxpayer information; and *
employees were not always aware of the criminal and civil
penalties that can be imposed for unauthorized inspection or
disclosure. We requested comments on a draft of this report from
the Commissioner Agency Comments and of Internal Revenue.
Officials representing the Assistant Commissioner for Our
Evaluation Examination and the Commissioner's
Office of Legislative Affairs provided IRS' comments at an August
12, 1999, meeting. IRS also provided written comments in an
August 16, 1999, letter, which is reprinted in appendix X. IRS was
in overall agreement with the draft report and said it fairly
represented the scope and use of IRC section 6103 provisions
regarding safeguarding taxpayer information. IRS also provided
some additional information and technical comments. Where
appropriate, we made changes to this report on the basis of these
comments. We are sending copies of this report to Senator Fred
Thompson, Chairman, and Senator Joseph I. Lieberman, Ranking
Minority Member, Senate Committee on Governmental Affairs, and
Representative Charles B. Rangel, Ranking Minority Member, House
Committee on Ways and Means. We are also sending copies to the
Honorable Lawrence H. Summers, Secretary of the Treasury; the
Honorable Charles O. Rossotti, Commissioner of Internal Revenue;
the Honorable Jacob Lew, Director, Office of Management and
Budget; and other interested parties. We will also send copies to
those who request them. If you or your staff have any questions
concerning this report, please contact me or Joseph Jozefczyk at
(202) 512-9110. Other major contributors to this report are
acknowledged in appendix XI. Cornelia M. Ashby Associate Director,
Tax Policy and Administration Issues Page 15
GAO-GGD-99-164 Safeguarding Taxpayer Information Contents 1 Letter
Appendix I: Lists of Federal, State, and Local Agencies
20 Appendixes Receiving Taxpayer Information Appendix II: IRC
Section 6103 Subsections That 24
Authorize IRS to Disclose Taxpayer Information Subject to
Safeguarding Requirements Appendix III: Overview of Information
Provided to 32 Federal Agencies Under
the Provisions of IRC Section 6103 Appendix IV: Overview of
Information Provided to State 36 and Local
Agencies Under the Provisions of IRC Section 6103 Appendix V:
Possible Uses for Federal Taxpayer Data
39 Provided to Federal, State, and Local Agencies Appendix VI:
Summary of Tax Information Security 41
Guidelines for Federal, State, and Local Agencies Appendix VII:
Examples of Deficiencies Found During 47
IRS' Reviews of Agencies' Safeguarding Procedures Appendix VIII:
Staffing Levels for IRS' Office of 54
Safeguards Appendix IX: Questionnaires Used to Survey Federal,
56 State, and Local Agencies Receiving Taxpayer Information
Appendix X: Comments From the Internal Revenue
60 Service Appendix XI: GAO Contacts and Staff Acknowledgments
61 Table 1: Examples of Types of Taxpayer Information
6 Tables Received by Federal, State, and Local Agencies
Table 2: Formats in Which Agencies Received Taxpayer
7 Information From IRS in 1997 or 1998 Table 3: Frequencies With
Which Agencies Received 8 Taxpayer
Information From IRS in 1997 or 1998 Table 4: Other Sources of
Data Agencies Used in Lieu of 9 Taxpayer
Information Table 5: How Taxpayer Information Was Used by
11 Federal, State, and Local Agencies in 1997 or 1998 Table I.1:
List of Federal Agencies Receiving Taxpayer
20 Information Table I.2: List of State and Local Agencies
Receiving 21 Taxpayer Information Page 16
GAO-GGD-99-164 Safeguarding Taxpayer Information Contents Table
II.1: IRC Authorization for Federal Agencies to
30 Receive Taxpayer Information Table II.2: IRC Authorization for
State and Local Agencies 31 to Receive Taxpayer
Information Table III.1: Disclosure to Federal Agencies for Tax
32 Administration and the Administration of Federal Laws Not
Related to Tax Administration Table III.2: Disclosure to Federal
Agencies for Statistical 33 Purposes Table III.3:
Disclosure to Federal Agencies for Purposes 34
Other Than Tax Administration Table III.4: Disclosure to Federal
Agencies for Collecting 35 Certain Federal Claims
and Taxes and for Locating Donors Table IV.1: Disclosure to State
Tax Officials and State and 36 Local Law
Enforcement Agencies Table IV.2: Disclosure to State and Local
Child Support 38 Enforcement Agencies Table
IV.3: Disclosure to State and Local Welfare
38 Agencies Table V.1: Possible Uses of Taxpayer Information by
39 Federal, State, and Local Agencies Table VII.1: Examples of
Agency Deficiencies Found 53 During IRS'
Safeguard Reviews Figure IX.1: Survey of Federal Agencies
Receiving 56 Figures Taxpayer Data
Figure IX.2: Survey of State and Local Agencies Receiving
58 Taxpayer Data Page 17 GAO-GGD-99-164
Safeguarding Taxpayer Information Contents Abbreviations ATF
Bureau of Alcohol, Tobacco, and Firearms FMS Financial
Management Services HCFA Health Care Financing
Administration IRC Internal Revenue Code IRS
Internal Revenue Service OCSE Office of Child Support
Enforcement OIG Office of the Inspector General OPM
Office of Personnel Management RRB Railroad Retirement
Board SSA Social Security Administration VA
Department of Veterans Affairs SAR Safeguards Activity
Report SPR Safeguards Procedures Report Page 18
GAO-GGD-99-164 Safeguarding Taxpayer Information Page 19 GAO-
GGD-99-164 Safeguarding Taxpayer Information Appendix I Lists of
Federal, State, and Local Agencies Receiving Taxpayer Information
The Internal Revenue Service (IRS) provided us with the following
list of federal agencies in the Washington, D.C., metropolitan
area that received, or maintained records containing, taxpayer
data under the authority of Internal Revenue Code (IRC) section
6103. Table I.1: List of Federal Agencies Receiving Taxpayer
Information 1 Agency for International Developmenta
14 Department of Transportation 2 Central Intelligence Agency
Federal Aviation Administration 3 Defense Finance and Accounting
Service Office of the Secretary
of Transportation, TASC 4 Department of Agriculture
Research and Special Programs Farm Service Agency
U.S. Coast Guard Food and Nutrition Service
15 Department of the Treasury National Finance Center
Financial Management Service Office of the Inspector General
Office of the Inspector General Risk Management Agency
U.S. Customs Service Rural Development
U.S. Secret Service, Financial Management Division 5 Department of
Commerce U.S.
Secret Service, Investigative Support Division Bureau of Economic
Analysis 16 Department of
Veterans Affairs Economic Planning and Coordination Division
Debt Management Center Planning Research and Evaluation Division
Veterans Benefits Administration Office of Financial Management
17 Environmental Protection Agencya 6 Department of Education
18 Equal Employment Opportunity Commission 7 Department of Energya
19 Federal Emergency Management Agency 8 Department of Health and
Human Services 20 General Accounting
Office Office of Child Support Enforcement
21 General Services Administration Program Support Center
22 National Archives and Records Administration 9 Department of
Housing and Urban Development Office
of the General Counsel Albany Financial Operations Center
Records Center Facilities Real Estate Assessment Center
23 National Labor Relations Board 10 Department of the Interior
24 National Science Foundation 11 Department of Justice
25 Office of Independent Counsel Antitrust Division
26 Office of Personnel Management Civil Division
27 Pension Benefit Guaranty Corporation Debt Collection Management
28 Securities and Exchange Commission Federal Bureau of
Investigation 29 Small Business
Administration Office of Professional Responsibility
30 Social Security Administration Tax Division
Office of the Inspector General U.S. Attorneys Offices
Office of Policy, Office of Research, Evaluation, and Statistic 12
Department of Labor
Office of Program Benefits Office of the Chief Financial Officer
Office of Systems Requirements Office of the Inspector General
31 United States Marine Corps Pension and Welfare Benefits
Administration 32 U.S. Information Agency Plans
Benefits Security Division 33 U.S.
Peace Corps 13 Department of State
34 U.S. Postal Service General Accounting Section Postal
Inspection Service aIn responding to our questionnaire, these
agencies indicated that they had not received any taxpayer
information in 1997 or 1998. Page 20
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix I Lists
of Federal, State, and Local Agencies Receiving Taxpayer
Information In addition, IRS identified the following six entities
not in the Washington, D.C., metropolitan area that received
taxpayer information. These were: * Army and Air Force Exchange,
Dallas, TX * Department of the Treasury, Bureau of Public Debt,
Parkersburg, WV * Navy Exchange Service Command, Virginia Beach,
VA * Department of the Treasury, U.S. Customs, Indianapolis, IN *
Department of Veteran Affairs, Fort Snelling, MN * U.S. Railroad
Retirement Board, Chicago, IL As agreed with your office, we did
not include these six in our survey because they were located
outside the Washington, D.C., metropolitan area. IRS provided us
with the following list of state and local agencies that received,
or maintained records containing, taxpayer data under the
authority of IRC section 6103. Table I.2: List of State and Local
Agencies Receiving Taxpayer Information 1 Alabama Child Support
Enforcement Agency 28 Connecticut
Department of Social Services 2 Alabama Department of Human
Resources 29 Delaware Child Support
Enforcement Agency 3 Alabama Department of Revenue
30 Delaware Department of Transportation 4 Alabama Medicaid
Agency 31 Delaware
Division of Revenue 5 Alaska Child Support Enforcement Agency
32 Delaware Health & Social Services 6 Alaska Department of
Health & Social Services 33 District of Columbia
Office of Corporation Counsel 7 Alaska Department of Revenue
34 District of Columbia Department of Human Services 8 American
Samoa Department of Treasury 35 District
of Columbia Office of Tax & Revenue 9 Arizona Department of
Economic Security 36 Florida Department of
Children & Family Services 10 Arizona Department of Revenue
37 Florida Department of Revenue 11 Arizona Department of
Transportation 38 Georgia Child
Support Enforcement Agency 12 Arizona Health Care Cost Containment
System 39 Georgia Department of Human
Resources 13 Arkansas Department of Finance & Administration
Revenue 40 Georgia Department of Labor 14 Arkansas
Department of Human Services 41
Georgia Department of Revenue 15 Arkansas Department of Labor
42 Guam Child Support Enforcement Agency 16 Arkansas Office of
Child Support Enforcement 43 Guam Department
of Revenue & Taxation 17 California State Controller's Office
44 Hawaii Child Support Enforcement Agency 18 California
Department of Social Services 45 Hawaii
Department of Human Services 19 California Employment Development
Department 46 Hawaii Department of Labor &
Industrial Relations 20 California Franchise Tax Board
47 Hawaii Department of Taxation 21 California State Board of
Equalization 48 Idaho Department of
Health & Welfare 22 Colorado Department of Human Services
49 Idaho Department of Labor 23 Colorado Department of Labor &
Employment 50 Idaho Department of Revenue
24 Colorado Department of Revenue
51 Idaho State Tax Commission 25 Colorado Department of Social
Services 52 Illinois Attorney General's
Office 26 Connecticut Bureau of Child Support
53 Illinois Department of Human Services 27 Connecticut Department
of Revenue Services 54 Illinois Department
of Public Aid Page 21 GAO-GGD-99-164
Safeguarding Taxpayer Information Appendix I Lists of Federal,
State, and Local Agencies Receiving Taxpayer Information 55
Illinois Department of Revenue
105 MissouriKansas City Revenue Division 56 Illinois Office of
Child Support Enforcement 106 MissouriCity
of St. Louis Revenue Department 57 Indiana Family & Social
Services Administration 107 Montana Department
of Justice 58 Indiana Department of Revenue
108 Montana Department of Public Health & Human Services 59
Indiana Department of Workforce Development
109 Montana Department of Revenue 60 Indiana Office of Child
Support Enforcement 110 Montana Department
of Social & Rehabilitation Services 61 Iowa Child Support
Enforcement Agency 111 Montana
Department of Transportation 62 Iowa Department of Human Services
112 Nebraska Child Support Enforcement Agency 63 Iowa Department
of Finance & Revenue 113 Nebraska
Department of Health & Human Services 64 Iowa Workforce
Development 114 Nebraska
Department of Labor 65 Kansas Department of Revenue
115 Nebraska Department of Revenue 66 Kansas Department of Social
& Rehabilitative Services 116 Nebraska Department of
Social Services 67 Kentucky Cabinet for Families & Children
117 Nevada Department of Human Resources 68 Kentucky Revenue
Cabinet 118 Nevada
Department of Motor Vehicles 69 Kentucky Workforce Development
119 Nevada Department of Taxation 70 KentuckyLouisville/Jefferson
County Revenue Commission 120 Nevada Department of
Human Resources 71 Louisiana Child Support Enforcement Agency
121 New Hampshire Child Support Enforcement Agency 72 Louisiana
Department of Health & Hospitals 122 New
Hampshire Department of Employment 73 Louisiana Department of
Revenue 123 New Hampshire
Department of Health & Human Services 74 Louisiana Department of
Social Services 124 New Hampshire
Department of Revenue 75 Louisiana State Police
125 New Hampshire Department of Safety 76 Maine Bureau of
Employment 126 New Jersey
Department of Human Services 77 Maine Child Support Enforcement
Agency 127 New Jersey Department of
Labor 78 Maine Department of Human Services
128 New Jersey Division of Taxation 79 Maine Revenue Services
129 New Mexico Human Services Department 80 Maryland Child Support
Enforcement Agency 130 New Mexico
Department of Labor 81 Maryland Controller of the Treasury
131 New Mexico Taxation & Revenue Department 82 Maryland
Department of Human Resources 132 New
York Department of Labor 83 Maryland Department of Labor
133 New York Department of Social Services 84 Massachusetts Child
Support Enforcement Agency 134 New York
Department of Taxation & Finance 85 Massachusetts Department of
Employment Services 135 New York City
Department of Finance 86 Massachusetts Department of Revenue
136 North Carolina Department of Health & Human Services 87
Massachusetts Department of Transitional Assistance
137 North Carolina Department of Human Resources 88 Massachusetts
Division of Medical Assistance 138 North
Carolina Department of Revenue 89 Michigan Family Independence
Agency 139 North Dakota Department
of Human Services 90 Michigan Department of Treasury
140 North Dakota Office of State Tax Commissioner 91 Michigan
Office of Child Support Enforcement 141 Ohio
Bureau of Employment Services 92 MichiganCity of Detroit Income
Tax Bureau 142 Ohio Department of Human
Services 93 Minnesota Department of Economic Security
143 Ohio Department of Taxation 94 Minnesota Department of Human
Services 144 OhioCity of Cincinnati
Income Tax Bureau 95 Minnesota Department of Revenue
145 OhioCity of Cleveland Division of Taxation 96 Minnesota
Department of Social Services 146
OhioCity of Columbus Income Tax Division 97 Mississippi Child
Support Enforcement Agency 147 OhioCity of
Toledo Division of Taxation 98 Mississippi Department of Human
Services 148 Oklahoma Department of
Human Services 99 Mississippi Department of Public Safety
149 Oklahoma Tax Commission 100 Mississippi Division of Medicaid
150 Oregon Child Support Enforcement Agency 101 Mississippi State
Tax Commission 151 Oregon
Department of Human Resources 102 Missouri Department of Revenue
152 Oregon Department of Revenue 103 Missouri Department of Social
Services 153 Pennsylvania Department of
Public Welfare 104 Missouri Division of Employment Security
154 Pennsylvania Department of Revenue Page 22
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix I Lists
of Federal, State, and Local Agencies Receiving Taxpayer
Information 155 PennsylvaniaCity of Philadelphia Department of
Revenue 186 Vermont Division of Motor Vehicles 156
PennsylvaniaCity of Pittsburgh Department of Finance 187
Virginia Child Support Enforcement Agency 157 Puerto Rico
Department of Social Services 188 Virginia
Department of Motor Vehicles 158 Puerto Rico Department of the
Family 189 Virginia Department of
Social Services 159 Puerto Rico Department of the Treasury
190 Virginia Department of Taxation 160 Puerto Rico Department of
Welfare 191 Virgin Islands Bureau of
Health Insurance & Medical Assistance 161 Puerto Rico Division of
Medicaid 192 Virgin Islands Bureau
of Internal Revenue 162 Rhode Island Child Support Enforcement
Agency 193 Virgin Islands Department of Finance
163 Rhode Island Department of Human Services
194 Virgin Islands Department of Human Services 164 Rhode Island
Department of Administration 195 Virgin
Islands Department of Justice, Child Support Enforcement 165 South
Carolina Department of Revenue 196
Washington Child Support Enforcement Agency 166 South Carolina
Department of Social Services 197 Washington
Department of Social & Health Services 167 South Carolina
Employment Services 198 Washington
State Department of Revenue 168 South Dakota Department of Labor
199 Washington Department of Licensing 169 South Dakota Department
of Revenue 200 Washington Department
of Labor & Industry 170 South Dakota Department of Social Services
201 Washington State Employment Security 171 Tennessee Department
of Employment Security 202 West Virginia Child
Support Enforcement Agency 172 Tennessee Department of Human
Services 203 West Virginia Department of
Employment 173 Tennessee Department of Revenue
204 West Virginia Department of Health & Human Services 174
TennesseeNashville Metropolitan Police Department 205
West Virginia Department of Tax & Revenue 175 Texas Department of
Human Services 206 Wisconsin Child
Support Enforcement Agency 176 Texas Disposal Systems
207 Wisconsin Department of Industry & Labor 177 Texas Office of
the Attorney General, Child Support 208 Wisconsin
Department of Revenue Enforcement 178 Texas Comptroller of Public
Accounts 209 Wisconsin Department of
Workforce Development 179 Texas Workforce/Employment Commission
210 Wyoming Department of Employment 180 Utah Department of
Workforce Services 211 Wyoming
Department of Family Services 181 Utah State Tax Commission
212 Wyoming Department of Revenue 182 Vermont Child Support
Enforcement Agency 213 Wyoming Department
of Social Service 183 Vermont Department of Employment Services
214 Wyoming Department of Transportation 184 Vermont Department of
Social Welfare 215 Wyoming State
Auditor's Office 185 Vermont Department of Taxes Page 23
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix II IRC
Section 6103 Subsections That Authorize IRS to Disclose Taxpayer
Information Subject to Safeguarding Requirements Certain federal,
state, and local agencies, and others are authorized under IRC
Section 6103 Internal Revenue Code (IRC) section
6103 to receive taxpayer information from the Internal Revenue
Service (IRS). The following describes the agencies, bodies,
commissions, and other agents authorized by IRC section 6103
subsections to obtain taxpayer information, subject to
safeguarding requirements prescribed in IRC section 6103(p)(4).
Disclosures of taxpayer information can be made to state taxing
agencies IRC Section 6103(d) and state and local law
enforcement agencies that assist in the Disclosures to State Tax
administration of state tax laws. Disclosures under this section
are to be Agencies and State and used only for tax
administration purposes, and states must justify the need Local
Law Enforcement for this information and must use the
data provided. Agencies (Officers and Certain disclosures
of taxpayer information can be made to Committees of Employees IRC
Sect ) for Tax ion 6103(f) Congress and their agents upon
written request from the Chairman of the Administrat Disclosu
ion Purposes res to Committees House Committee on Ways and
Means, the Senate Committee on Finance, of Congress
or the Joint Committee on Taxation. Taxpayer information that can
be associated with, or otherwise identify (directly or
indirectly), a particular taxpayer can only be furnished to the
Committee when in closed executive session, unless a taxpayer
otherwise consents in writing to the disclosure. Agents, such as
the General Accounting Office, and certain other Committees may
also receive taxpayer information under subsections (f)(3) and
(4). 6103(h)(2)Disclosures of taxpayer information can be made to
the IRC Section 6103(h) Department of Justice for
proceedings involving tax administration before Disclosures to
Federal a federal grand jury or any proceedings or
investigation that may result in a Agencies (Officers and
proceeding before a federal grand jury or federal or state court.
Employees) for Tax 6103(h)(5)Disclosures of the
address and status of a nonresident alien, Administration Purposes
citizen, or resident of the United States to the Social Security
Administration (SSA) and Railroad Retirement Board can be made for
purposes of carrying out responsibilities for withholding tax
under section 1441 of the Social Security Act for Social Security
benefits. Page 24 GAO-GGD-99-164
Safeguarding Taxpayer Information Appendix II IRC Section 6103
Subsections That Authorize IRS to Disclose Taxpayer Information
Subject to Safeguarding Requirements 6103(i)(l) and (2)Disclosures
of taxpayer and other information can be IRC Section 6103(i)-
made for use in certain criminal investigations. Disclosures to
Federal Agencies (Officers and 6103(i)(3)Disclosures of
taxpayer information can be used to apprise Employees) for
appropriate officials of criminal activities or emergency
circumstances. Administration of Federal
6103(i)(5)Disclosures of taxpayer information can be made to
locate Laws Not Related to Tax fugitives from justice upon
the grant of an ex parte order by a federal Administration
district court judge or magistrate. 6103(i)(7)Disclosures of
taxpayer information can be made to officers and employees of the
General Accounting Office in conducting audits of IRS; Bureau of
Alcohol, Tobacco and Firearms (ATF); and any agency authorized by
6103(p)(6). 6103(j)(1)Disclosures of taxpayer information can be
made to the IRC Section 6103(j) Department of Commerce
(Census and Bureau of Economic Analysis). Disclosures for
Statistical Use 6103(j)(2)Disclosures
of taxpayer information can be made to the Federal Trade
Commission for statistical purposes. Only corporate returns can be
disclosed for legally authorized economic surveys of corporations.
(According to IRS, this section is obsolete because the Federal
Trade Commission no longer performs these economic surveys.)
6103(j)(5)Disclosures of taxpayer information can be made to the
Department of Agriculture for the purpose of structuring,
preparing, and conducting the census of agriculture pursuant to
the Census of Agriculture Act of 1997. Disclosures of taxpayer
information can be made to the Department of the IRC Section
6103(k)(8) Treasury's Financial Management Service (FMS)
for levies related to any Disclosure for Certain Other federal
debt. Tax Administration Purposes IRC section 6103(l)(1) and
(l)(5) allow a specific type of disclosure IRC Section 6103(l)
between IRS and SSA commonly known as the Continuous Work History
Disclosures for Purposes Sample Program. Under this
disclosure, a small sample (approximately 1%) Other Than Tax
of the U.S. population's Social Security-related data, wage
information, and Administration self-employment
data is collected and used (1) for various studies to monitor
trends that may affect Social Security programs; (2) as a model to
assist in determining the effects of proposed program changes,
including Page 25 GAO-GGD-99-164
Safeguarding Taxpayer Information Appendix II IRC Section 6103
Subsections That Authorize IRS to Disclose Taxpayer Information
Subject to Safeguarding Requirements proposed legislative or
administrative changes; and (3) to assess funding requirements
related to trust funds and the budget. 6103(l)(1)Disclosures of
taxpayer information can be made to the Social Security
Administration and Railroad Retirement Board for the
administration of the Social Security Act and the Railroad
Retirement Act. The common name for this disclosure is the
Administration of the Social Security Act Program. Section
6103(l)(1) is very specific as to what information may be
disclosed to SSA, and part of this information may be used by SSA
only for purposes of carrying out its responsibility under section
1131 of the Social Security Act. 6103(l)(2)Disclosures of taxpayer
information can be made to the Department of Labor and the Pension
Benefit Guaranty Corporation for administration of titles I and IV
of the Employee Retirement Income Security Act of 1974.
6103(l)(3)Disclosures of taxpayer information can be made to any
federal agency administering a federal loan program.
6103(l)(5)Disclosures of taxpayer information can be made to the
Social Security Administration for the purposes of (1) carrying
out an effective return processing program pursuant to section 232
of the Social Security Act and (2) providing information regarding
the mortality status of individuals for epidemiological and
similar research in accordance with section 1106(d) of the Social
Security Act. The common name for this disclosure is the Annual
Wage Reporting Program. Section 6103(l)(5) permits SSA and IRS to
work together to process and share certain information. SSA and
IRS conduct a number of exchanges to identify whether employee,
employer, and wage data are correct and employers are submitting
information as legally required. 6103(l)(6)Disclosures of taxpayer
information can be made to federal, state, and local child support
enforcement agencies for the purposes of establishing and
collecting child support obligations from individuals owing such
obligations, including locating such individuals. Under IRC
section 6103(p)(2), in conjunction with section 6l03(l)(6), IRS
has authorized SSA to make disclosures to the Office of Child
Support Enforcement, a federal agency that oversees child support
enforcement at the federal level and acts as a coordinator for
most programs involved with child support enforcement. Page 26
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix II IRC
Section 6103 Subsections That Authorize IRS to Disclose Taxpayer
Information Subject to Safeguarding Requirements
6103(l)(7)Disclosures of taxpayer information can be made to
federal, state, and local agencies administering certain benefits
programs for the purposes of determining eligibility for, or
correct amount of, benefits under such programs. Section
6103(l)(7) states that SSA will provide its return information
[obtained under 6103(l)(1) or (5)] to other agencies to assist
them with specific welfare programs. The states (and other
authorized agencies) provide the names and Social Security numbers
of welfare applicants or recipients, and SSA provides the
authorized information, such as wages and self-employment (net
earnings) and retirement income. This disclosure between SSA and
the other agencies is called the Beneficiary and Earnings Data
Exchange Program. A similar program, the 1099 Program, involves
the disclosure of unearned income information between IRS and
federal, state, and local agencies administering these programs.
6103(l)(8)Disclosures of taxpayer information can be made by SSA
to other state and local child support enforcement agencies for
the same purposes as 6103(l)(6).1 6103(l)(9)Disclosures of
taxpayer information can be made to state administrators of state
alcohol laws for use in the administration of such laws. The
disclosure is limited to information on alcohol fuel producers
only. 6103(l)(10)Disclosures of specific taxpayer information
relating to tax refund offsets can be made to the agency
requesting such offsets in order to collect specified debts, such
as student loans or child support payments. This disclosure
between IRS and other agencies was known as the Tax Refund Offset
Program. This program is currently undergoing a "transition." In
the past, agencies received pre-offset debtor addresses, debtor
identity information, the filing status (if joint), and any
payment amount to the spouse of a joint return from IRS. Effective
January 1, 1999, Treasury's Financial Management Service assumed
complete responsibility for the Treasury Offset Program. Except in
the case of tax refund offsets to collect child support debts,
agencies are now receiving offset information under the Treasury
Offset Program procedures. Tax refund offset will, in general, be
blended, or amalgamated, with other Treasury "offsets," such as
salary offsets. FMS is to perform the blending and tax information
is not to be identified beyond FMS, except for agencies involved
in collecting child support debts. When tax refund offset
information is blended and 1According to IRS data, there are
currently no disclosures being made under 6103(8). Section
6103(l)(6) allows IRS to provide the same information to federal,
state, and local agencies. Page 27
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix II IRC
Section 6103 Subsections That Authorize IRS to Disclose Taxpayer
Information Subject to Safeguarding Requirements unidentifiable
under the Treasury Offset Program procedures, it is no longer
considered return information and section 6103(p)(4) safeguarding
procedures are not required. 6103(l)(11)Disclosures of taxpayer
information can be made by SSA to the Office of Personnel
Management (OPM) for the purpose of administering the federal
employees' retirement system (chs. 83 and 84 of title 5, U.S.C.).
The common name for this disclosure between SSA and OPM is the
Federal Employees' Retirement System Program. It involves a
computer match where OPM provides the names and Social Security
numbers of federal employees participating in the federal
retirement system and SSA provides the wages, self-employment
earnings, and retirement income information obtained under IRC
sections 6103(l)(1) and (l)(5). 6103(l)(12)Taxpayer information
can be disclosed by IRS to SSA and by SSA to the Health Care
Financing Administration (HCFA) to administer the Medicare
program. The common name for this type of disclosure is the
Medicare Secondary Payer Project. The purpose of this disclosure
is to identify the employment status of Medicare beneficiaries to
determine if medical care is covered by group health plans. It
permits IRS to provide SSA with identity information, filing and
marital status, and spouse's name and Social Security number for
specific years for any Medicare beneficiary identified by SSA. It
also permits SSA to disclose to HCFA the names and Social Security
numbers of Medicare beneficiaries receiving wages above a
specified amount. Additionally, it permits HCFA to disclose
certain return information to qualified employers and group health
plans. 6103(1)(13)Disclosures of taxpayer information can be made
to the Department of Education to administer the "Direct Student
Loans" program.2 6103(l)(14)Disclosures of taxpayer information
can be made to U.S. Customs to audit evaluations of imports and
exports, and to take other actions to recover any loss of revenue
or collection of duties, taxes, and fees determined to be due and
owed as a result of such audits. 6103(1)(16)Disclosures of
taxpayer information can be made by SSA to officers or employees
of the Department of the Treasury, a trustee or any 2According to
IRS, no disclosures have been made under this provision. Instead,
the Department of Education has obtained taxpayer information
pursuant to taxpayer consents under section 6103(c). Such
disclosures are not subject to safeguards. Page 28
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix II IRC
Section 6103 Subsections That Authorize IRS to Disclose Taxpayer
Information Subject to Safeguarding Requirements designated
officer, employee, or actuary of a trustee (as defined in the D.C.
Retirement Protection Act), for the purpose of determining an
individual's eligibility for, or the correct amount of, benefits
under the District of Columbia Retirement Protection Act of 1997.
6103(l)(17)Disclosures of taxpayer information can be made to the
National Archives and Records Administration for the purposes of
appraisal of records for destruction or retention. Section 6103
(m)(2), (4), (6), and (7) are not subject to 6103(p)(4) IRC
Section 6103(m) safeguarding requirements unless address
and entity information is Disclosures of Taxpayer
redisclosed to an agent. If redisclosed to an agent, both the
agency and the Identity Information agent must safeguard
the information. 6103(m)(2)Disclosures of taxpayer information can
be made to federal agencies for collection of federal claims under
the Federal Claims Collection Act. Section 6103(m)(2) authorizes
IRS to provide the mailing addresses of taxpayers to any federal
agency to locate taxpayers in an attempt to collect federal
claims. The common names for this type of disclosure is Taxpayer
Address Request Program or the Recovery and Collection of
Overpayment Process. It involves the federal agency providing IRS
with a listing of debtors, identified by Social Security number
and name, and IRS then providing the agency with the same
information and the latest known address. 6103(m)(4)Disclosures of
taxpayer information can be made to the Department of Education
for collection of Student Loans. 6103(m)(6)Disclosures of taxpayer
information can be made to officers and employees of the Blood
Donor Locator Service in the Department of Health and Human
Services for the purpose of locating individuals to inform donors
of the possible need for medical care and treatment relating to
acquired immune deficiency syndrome. 6103(m)(7)Disclosures of
taxpayers' mailing addresses can be made to SSA for the purpose of
mailing the Personal Earnings and Benefit Estimate Statements
(Social Security account statements). 6103(n)Disclosures of
taxpayer information can be made to contractors IRC Section
6103(n) to the extent necessary and for the various
activities and services related Disclosures to Contractors to
tax administration. These disclosures can only be made by the
Treasury Department, a state tax agency, SSA, and the Department
of Justice and in accordance with regulations prescribed by the
IRS Commissioner. Page 29 GAO-GGD-99-
164 Safeguarding Taxpayer Information Appendix II IRC Section 6103
Subsections That Authorize IRS to Disclose Taxpayer Information
Subject to Safeguarding Requirements 6103(o)(1)Disclosures of
taxpayer information can be made to ATF for IRC Section 6103(o)
administering certain taxes on alcohol, tobacco, and firearms.
Disclosures With Respect to Certain Taxes Tables II.1 and II.2
show, for the agencies we surveyed that received taxpayer
information in 1997 or 1998, the authorization under which they
received the information. Table II.1: IRC Authorization for
Federal Agencies to Receive Taxpayer Information IRC section 6103
subsections Federal agency
6103(d) 6103(f) 6103(h) 6103(i) 6103(j) 6103(l) 6103(m) 6103(o)
Other Central Intelligence Agency
X Defense Finance and Accounting Service
X X Department of Agriculture
X X X X Department of
Commerce
X X Department of Education
X Department of Health and Human Services
X Department of Housing and Urban Development
X X Department of the Interior
X Department of Justice
X X X X X Department of
Labor
X X X X Department of State
X Department of Transportation
X X X Department of the
Treasury X
X X X X Department of Veterans
Affairs
X X Equal Employment Opportunity Commission
X Federal Emergency Management Agency
X General Accounting Office X
X X X General Services
Administration
X National Archives and Records Administration
X National Labor Relations Board
X National Science Foundation
X Office of Independent Counsel
X X Office of Personnel Management
X Pension Benefit Guaranty Corporation
X Securities and Exchange Commission
X X Small Business Administration
X Social Security Administration
X X X United States Marine Corps
X U.S. Information Agency
X U.S. Peace Corps
X X X U.S. Postal
Service
X Source: IRS' Office of Safeguards and agencies' responses to our
survey. Page 30 GAO-GGD-99-164
Safeguarding Taxpayer Information Appendix II IRC Section 6103
Subsections That Authorize IRS to Disclose Taxpayer Information
Subject to Safeguarding Requirements Table II.2: IRC Authorization
for State and Local Agencies to Receive Taxpayer Information IRC
section 6103 subsections State agency
6103(d) 6103(f) 6103(h) 6103(I) 6103(j) 6103(l) 6103(m) 6103(o)
Other Alabama Department of Human Resources
X California State Controller's Office X
California Department of Social Services
X California Franchise Tax Board X
Connecticut Department of Social Services
X Delaware Department of Health & Social Services
X District of Columbia Office of Corporate Counsel
X District of Columbia Office of Tax & Revenue X
Florida Department of Children & Family Services
X Georgia Department of Human Resources
X Georgia Department of Revenue X
Illinois Department of Human Services
X Illinois Department of Public Aid
X Kansas Department of Revenue X
Kentucky Cabinet for Families & Children, Child
X Support Enforcement Agency Kentucky Cabinet for Families &
Children, Welfare
X Division Louisiana Department of Health & Hospitals
X Louisiana Department of Revenue X
Massachusetts Department of Transitional
X Assistance Mississippi Division of Medicaid
X Missouri Department of Revenue X
X Montana Department of Revenue X
Nebraska Department of Health & Human
X Services, Child Support Enforcement New Jersey Department of
Human Services
X New Mexico Human Services Department
X Nevada Department of Human Resources
X North Dakota Office of State Tax Commissioner X
Rhode Island Department of Administration X Texas
Comptroller of Public Accounts X Virginia
Department of Social Services, Division of
X Child Support Enforcement Virginia Department of Social Services
X Vermont Department of Taxes X
Wisconsin Department of Revenue X West
Virginia Department of Tax and Revenue X Source:
Agencies' responses to our survey. Page 31
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix III
Overview of Information Provided to Federal Agencies Under the
Provisions of IRC Section 6103 Internal Revenue Code (IRC) section
6103 allows the Internal Revenue Service (IRS) to disclose
taxpayer information to federal agencies and authorized employees
of those agencies. Disclosure of taxpayer information is to be
used strictly for the purposes outlined by federal statutes and in
accordance with IRS policy and procedures. IRC sections 6103(h)
and 6103(i) allow IRS to disclose taxpayer information to the
employees and officers of any federal agency for tax
administration purposes as well as for the administration of
federal laws not related to tax. Under 6103(h), IRS can disclose
information to the Department of Justice for federal tax
investigations and to the Social Security Administration (SSA) and
Railroad Retirement Board (RRB) for purposes of withholding
taxes.1 IRC section 6103(i) allows the disclosure of information
for use in federal nontax criminal investigations and other
activities not related to tax administration. Table III.1 shows
some types of taxpayer information disclosed and the disclosure
format and frequency. Table III.1: Disclosure to Federal
Taxpayer information provided
Format Frequency Agencies for Tax Administration and
the Criminal tax investigation reports and taxpayer listings
Hard copy Upon request Administration of Federal Laws Not Related
to Tax Administration Individual and business income
tax return information
Hard copy Upon request (individual and business master files and
return transaction files) Individual and corporate income tax,
estate tax, partnership,
Hard copy Upon request fiduciary, excise tax, and exempt
organization audit reports Payer and payee information from W-2s,
K-1s, Form 1099s,
Hard copy Upon request and Form 5498 Taxpayers' mailing addresses
Hard copy Upon request Legend Form 1099s Interest, dividend, and
miscellaneous income statements Form 5498 Individual Retirement
Arrangement Information K-1s Beneficiary's, partnership's, or
shareholder's share of income, deductions, credits, etc. W-2s Wage
and tax statements Source: IRS' Office of Safeguards. IRC section
6103(j) allows IRS to disclose taxpayer information to the
Departments of Agriculture and Commerce and to officers and
employees of the Department of the Treasury for statistical use.
Table III.2 shows the types of taxpayer information disclosed and
the disclosure format and frequency. 1Specifically, section
6103(h)(5) permits the disclosure of taxpayer information to SSA
and RRB. According to IRS data, no disclosures have been made
under this provision for numerous years. Page 32
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix III
Overview of Information Provided to Federal Agencies Under the
Provisions of IRC Section 6103 Table III.2: Disclosure to Federal
Taxpayer information provided
Format Frequency Agencies for Statistical Purposes
Information returns master file (SSN, name, address)
Tape Annually Individual master file extract (SSN,
name, address, marital status, Tape
Annually exemptions, dependents, income, and return type)
Corporate income tax return information (name, address, EIN, net
Tape
Annually income or loss, assets, and gross receipts) Employment
tax returns records (EIN, total compensation paid,
Tape Weekly taxable period, number of employees,
total taxable wages paid, and tip income) Business master file
entity (EIN, name, address, filing
Tape Monthly, requirements, accounting period, and
employment code)
annually a Weekly economic data and economic and agriculture
census
Tape Annually (SSN, EIN, address, receipts,
accounting period, wages, interest, assets, and cost of goods)
Information from application for EIN
Tape Monthly, annually b Statistics of income
corporate sample (credits, balance sheet,
Tape Annually income statement, and tax items)
Legend EIN Employee identification number SSN Social Security
number aSelected entity data such as EIN, name, address, etc., are
disclosed annually. Changes in business status, such as those
resulting from births, deaths, etc., are disclosed monthly.
bMonthly disclosures are made to SSA, and with IRS approval, SSA
can disclose information to Census annually. Source: IRS' Office
of Safeguards. Under IRC section 6103(l), disclosures can be made
to certain federal agencies for purposes other than for tax
administration.2 Disclosure of taxpayer information can be made to
any federal agency administering a federal loan program,3 as well
as to those federal agencies administering certain programs under
the Social Security Act, the Food Stamp Act of 1977, title 38
U.S.C., or certain other housing assistance and benefits programs.
Disclosures can also be made to SSA, RRB, the Pension Benefit
Guaranty Corporation, and the Department of Labor for the
administration of the Employee Retirement Income Security Act of
1974 and for carrying out a return processing program. The
Veterans Health Administration, Veterans Benefits Administration,
and Department of Housing and Urban Development also receive
federal taxpayer information from SSA and IRS under the authority
of IRC section 2Sections 6103(l)(6), (7), and (8) also allow
disclosure of taxpayer information to state and local agencies for
child support and welfare purposes. 3Disclosure is limited to
information regarding whether or not an applicant for a loan has a
tax delinquent account. Page 33
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix III
Overview of Information Provided to Federal Agencies Under the
Provisions of IRC Section 6103 6103(l)(7) for use in administering
programs authorized under title 38 and certain housing assistance
programs. SSA also receives unearned income information from IRS,
which it uses in administering the Supplemental Security Income
program. Additionally, IRC section 6103(l) allows disclosure by
SSA to the Health Care Financing Administration and to certain
other agencies for determining eligibility for, or the correct
amount of, benefits. Table III.3 shows the types of taxpayer
information disclosed and the disclosure format and frequency.
Table III.3: Disclosure to Federal Taxpayer information
provided Format
Frequency Agencies for Purposes Other Than Tax Form 8300
information Hard
copy Upon request Administration Tax
liability and delinquency information
Hard copy Upon request W-2s and W-3s (wage data submitted by
employers) Electronic, Upon request hard copy
Unearned income from various Form 1099s
Tape Monthly Wages, self-employment earnings and
retirement income Tape, Monthly,
electronic annually SSN, filing and marital status, taxpayer
name, addresses, Tape, Upon request employee
EINs
electronic Individual income tax return information (SSN, filing
status, Tape Monthly amount and nature of income,
number of dependents) Legend EIN Employee identification number
Form 1099s Interest, dividend, and miscellaneous income statements
Form 8300 Report of Cash Payments Over $10,000 Received in a Trade
or Business SSN Social Security number W-2s and W-3s Wages and tax
statements Note: Data regarding Social Security payments are not
considered taxpayer information because they are derived from SSA
records. Wage data obtained from W-2s and W-3s and self-employment
income and other income data received from IRS are taxpayer
information. Source: IRS' Office of Safeguards. IRC section
6103(m) allows the disclosure of taxpayer information for
collecting federal claims and for locating registered blood
donors. All federal agencies can receive the information for
collection of claims, such as student loans, under the Federal
Claims Collection Act. The Department of Health and Human Services
receives the taxpayer information as part of its Blood Locator
Service, for the purpose of locating donors. IRC section 6103(o)
allows disclosures of the collection of certain taxes on alcohol,
tobacco, and firearms. Table III.4 shows the types of taxpayer
information disclosed and the disclosure format and frequency.
Page 34 GAO-GGD-99-164
Safeguarding Taxpayer Information Appendix III Overview of
Information Provided to Federal Agencies Under the Provisions of
IRC Section 6103 Table III.4: Disclosure to Federal
Taxpayer information provided
Format Frequency Agencies for Collecting Certain Federal
Social Security number, taxpayer name, address
Tape Weekly Claims and Taxes and for Locating Donors
Taxpayer name, address
Electronic Weekly Source: IRS' Office of Safeguards. Page 35
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IV
Overview of Information Provided to State and Local Agencies Under
the Provisions of IRC Section 6103 Under the provisions of
Internal Revenue Code (IRC) section 6103(d), the Internal Revenue
Service (IRS) is authorized to make disclosures for state tax
administration purposes to state tax officials and state and local
law enforcement agencies. In general, taxpayer information can be
disclosed to any state agency, body, or commission, or its legal
representative for the administration of state tax laws, including
for locating any person who may be entitled to a state income tax
refund. Table IV.1 shows some of the types of taxpayer information
disclosed and the disclosure format and frequency. Table IV.1:
Disclosure to State Tax Taxyer information provided
Format Frequency Officials and State and Local Law
Employment tax audit reports pertaining to Form 940 -
Hard copy Quarterly Enforcement Agencies
Employers Annual Unemployment Tax Return Audit results and
information regarding reclassification of Hard copy
Quarterly independent contractor to employee status Individual and
corporate income tax, estate tax, partnership, Hard copy
Monthly fiduciary, excise tax, and exempt organization audit
reports Late-filed income tax returns with a balance due
Hard copy Quarterly Criminal tax investigation reports and
taxpayer listing Hard copy Quarterly Dyed
diesel fuel inspection reports
Hard copy Quarterly Business tax return information (master
file and return Tape Annually transaction
file) Form 1040 information and third-party information returns
Tape Quarterly (underreporter program file) Audit and
appeals information (audit adjustments and Tape
Annually appellate level results) Individual income tax return
information (master file and Tape Annually
return transaction file) Database of IRS third-party information
returns (Form Tape Annually 1099s, W-
2s, K-1s) Payer and payee information from W-2s, K-1s, Form 1099s,
Tape Monthly and Form 5498 Listing of
taxpayers who did not itemize on their federal Tape
Annually income tax return Information on the taxpaying population
of a given state Tape Upon request
Taxpayers mailing addresses
Tape Weekly Legend Form 940 Employers Annual
Unemployment Tax Return Form 1040 U.S. Individual Income Tax
Return Form 1099s Interest, dividend, and miscellaneous income
statements Form 5498 Individual Retirement Arrangement Information
K-1s Beneficiary's, partnership's, and shareholder's share of
income, deductions, credits, etc. W-2s Wage and tax statement
Note: Agencies are also authorized to make specific requests for
tax information for a taxpayer they are working with. This may
include IRS examination and collection files, wage and income
information, bankruptcy files, and filing requirements for tax
administration purposes. Source: IRS' Office of Safeguards. In
addition to the types of taxpayer information shown in table IV.1,
in some states, the Attorney General's Office receives inheritance
tax and Page 36 GAO-GGD-99-164
Safeguarding Taxpayer Information Appendix IV Overview of
Information Provided to State and Local Agencies Under the
Provisions of IRC Section 6103 estate tax information from IRS,
including tax credits and closing letters to taxpayers. This type
of taxpayer information is disclosed quarterly on hard copy or
magnetic tape. In certain states, such as Texas, that have no
state income tax, the State Comptroller's Office-which is
responsible for collecting state sales and inheritance taxes-
receives taxpayer information from IRS. The taxpayer information
consists of estate and gift tax audit reports and income
information, such as Form 1099s, on hard copy or magnetic tape,
and transcripts of business returns. This information is received
on an ongoing, as well as on a case-by-case, basis. The state of
Wyoming also does not have an income tax, but its department of
transportation enforces fuel tax laws. IRS provides Wyoming with
fuel tax adjustment results on hard copy and only upon specific
request. Some cities, such as St. Louis and Kansas City, levy an
income-based tax on their residents and those taxpayers that work
in the city. These cities receive income tax audit reports from
IRS when adjustments are made to wages or self-employment income.
This information is received quarterly on hard copy. IRC section
6103(l)(6) allows IRS to disclose taxpayer information to state
and local child support enforcement agencies.1 In general,
taxpayer information can be disclosed to any state or local child
support enforcement agency for establishing and collecting child
support obligations, including any procedure for locating
individuals owing such obligations. IRC section 6103(l)(8) permits
the Social Security Administration (SSA) to disclose certain
taxpayer information to state and local child support enforcement
agencies. However, section (l)(6) also permits the disclosure of
the same information, and more, to federal, state, and local
agencies. Currently, SSA is not making any disclosures of taxpayer
information to state and local child support enforcement agencies
under 6103 section (l)(8), but is making disclosures to the
federal Office of Child Support Enforcement (OCSE) on behalf of
IRS. OCSE provides the names and, if known, Social Security
numbers. SSA performs computer matches and provides Social
Security numbers from SSA records, the last known address from SSA
records, and the address of the last known employer 1IRC section
6103(l)(6) also permits IRS to disclose certain taxpayer
information to federal agencies, such as the Office of Child
Support Enforcement-a federal agency that oversees child support
enforcement at the federal level and acts as a coordinator for
most programs involved with child support enforcement. Page 37
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IV
Overview of Information Provided to State and Local Agencies Under
the Provisions of IRC Section 6103 from W-2 and W-3 taxpayer
information. OCSE then provides the information to the state and
local child support enforcement agencies. Table IV.2 shows the
other types of taxpayer information disclosed and the disclosure
format and frequency. Table IV.2: Disclosure to State and Local
Taxpayer information provided
Format Frequency Child Support Enforcement Agencies
Taxpayer addresses
Tape Weekly Individual income tax return information
(Social Security number,
Tape Monthly filing status, amount and nature of
income, number of dependents) Source: IRS' Office of Safeguards.
Under IRC section 6103(l)(7), disclosures can be made to state and
local agencies administering certain programs under the Social
Security Act, the Food Stamp Act of 1977, title 38 U.S.C., or
certain other housing assistance and benefits programs. The
Deficit Reduction Act of 1984 required state public assistance
agencies administering certain programs under the Social Security
Act2 or the Food Stamp Act of 19773 to establish an income
eligibility verification system. These agencies receive federal
taxpayer information under the authority of the IRC 6103(l)(7)
from SSA and IRS to be used solely for the purpose of, and to the
extent necessary in, determining eligibility for, or the correct
amount of benefits,under, the specified programs. The agencies
receive wage and self-employment information from SSA through
electronic transmissions and unearned income information (Form
1099s) from IRS through magnetic tapes. Table IV.3 shows the type
of information disclosed and the disclosure format and frequency.
Table IV.3: Disclosure to State and Local Taxpayer information
provided
Format Frequency Welfare Agencies
Taxpayer addresses
Tape Weekly Individual income tax return information
(Social Security number,
Tape Monthly filing status, amount and nature of
income, number of dependents) Note: Data from SSA regarding Social
Security payments are not considered taxpayer information because
they are derived from SSA records. Wages obtained from W-2s/W-3s
and self-employment income and other income data received from IRS
are taxpayer information. Source: IRS' Office of Safeguards.
2Temporary Assistance for Needy Families and Medicaid are the
programs commonly administered by state public assistance
agencies. 3The Personal Responsibility and Work Opportunity
Reconciliation Act of 1996 states that "Notwithstanding any other
provision of law, in carrying out the food stamp program, a State
agency shall not be required to use an income and eligibility or
an immigration status verification system . . . ." Page 38
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix V
Possible Uses for Federal Taxpayer Data Provided to Federal,
State, and Local Agencies Internal Revenue Code (IRC) section 6103
is very specific about the authorized use of any federal taxpayer
data. During our study, Internal Revenue Service (IRS) officials
and other federal and state officials indicated that there are
many possible authorized uses for tax returns and return
information in accordance with IRC section 6103 requirements.
Agency officials stated that taxpayer information is used for tax
administration and law enforcement purposes, for the
administration of federal laws not related to tax administration,
for statistical uses, for establishing and collecting child
support obligations, and for determining eligibility for benefits.
Table V.1 outlines some of the specific uses of federal taxpayer
information. Table V.1: Possible Uses of Taxpayer Agency
Possible use Information by Federal, State, and Local Federal
Tax administration and tax withholding purposes Agencies
Criminal investigation and litigation Reporting criminal
activities Judicial or administrative procedures Enforce federal
criminal or civil statutes Locate fugitives from justice
Conducting government program audits Statistical purposes Offsets
Storing and maintaining data for IRS Administration of welfare and
public assistance programs Collection and enforcement of child
support State and local Verify taxpayer filed original or
amended return and initiate state audit Initiate state penalty
investigation Audit selection Provide listing of alleged violators
of criminal tax laws Verify or update addresses Skip tracing Sales
tax matching Identify nonfilers Determine discrepancies in
reporting of income Identify S corporation shareholders who avoid
state tax by taking dividends in lieu of wages Statistical and
revenue forecasting Identify payers and employers not reporting to
state and determine underreporters Identify partnerships with
changes in number of partners to detect possible sale of
partnership interest Compare officers' salaries and total wages
paid on corporate returns to withholding tax filed Compare federal
tax withheld to state tax withheld Locate delinquent taxpayers
Identify out-of-state income
(Continued) Page 39 GAO-GGD-99-
164 Safeguarding Taxpayer Information Appendix V Possible Uses for
Federal Taxpayer Data Provided to Federal, State, and Local
Agencies Agency Possible use State and local
Motor fuels, estate, and gift tax enforcement Unearned income
matching Provide income information for collection purposes
Administration of welfare and public assistance programs Offsets
Collection and enforcement of child support Civil and criminal
investigation and litigation Source: IRS' Office of Safeguards.
Page 40 GAO-GGD-99-164
Safeguarding Taxpayer Information Appendix VI Summary of Tax
Information Security Guidelines for Federal, State, and Local
Agencies As a condition of receiving taxpayer information,
agencies must show, to the satisfaction of the Internal Revenue
Service (IRS), that their policies, practices, controls, and
safeguards adequately protect the confidentiality of the taxpayer
information they receive from IRS. The agencies must ensure that
the information is used only as authorized by statute or
regulation and disclosed only to authorized persons. IRS has
implemented specific guidelines that all federal, state, and local
agencies are to follow to properly safeguard taxpayer information.
These guidelines, outlined in IRS Publication 1075, Tax
Information Security Guidelines for Federal, State and Local
Agencies, are summarized below. Federal, state, and local
agencies, and other authorized recipients, may Requesting Taxpayer
request taxpayer information from IRS in the form of a written
request Information signed by the head of the
requesting agency or other authorized official. IRS also requires
that a formal agreement-a Safeguard Procedures Report-be provided
by the agency that specifies the procedures established and used
by the agency to prevent unauthorized access and use and describes
how the information will be used upon receipt. The Safeguard
Procedures Report should be submitted to IRS at least 45 days
before the scheduled or requested receipt of taxpayer information.
Any agency that receives taxpayer information for an authorized
use under Internal Revenue Code (IRC) section 6103 may not use the
information in any manner or for any purpose not consistent with
that authorized use. If an agency needs federal tax information
for a different authorized use under a different provision of IRC
section 6103, a separate request under that provision is
necessary. An unauthorized secondary use is specifically
prohibited and may result in discontinuation of disclosures to the
agency and in the imposition of civil or criminal penalties on the
responsible officials. Before granting agency officers and
employees access to taxpayer information, officers and employees
should certify that they understand security procedures and
instructions requiring their awareness and compliance. Employees
should be required to maintain their authorization to access
taxpayer information through annual recertification. As part of
the certification and at least annually, employees should be
advised of the provisions of IRC 7213(a), 7213A, and 7431.1
Agencies should make officers and employees aware that disclosure
restrictions and the penalties apply even after employment with
the agency has ended. 1IRC sections that prescribe civil and
criminal penalties for unauthorized inspection or disclosure. Page
41 GAO-
GGD-99-164 Safeguarding Taxpayer Information Appendix VI Summary
of Tax Information Security Guidelines for Federal, State, and
Local Agencies Taxpayer information may be obtained by state tax
agencies from IRS only to the extent the information is needed,
and is reasonably expected to be used, for state tax
administration. Some state disclosure statutes and administrative
procedures permit access to state tax files by other agencies,
organizations, or employees not involved in tax matters. IRC
6103(d) does not permit access to taxpayer information for
purposes other than for state tax administration. State and local
tax agencies are not authorized to furnish taxpayer information to
other state agencies, tax or nontax, or to political subdivisions,
such as cities or counties, for any purpose, including tax
administration. State and local tax agencies may not furnish
taxpayer information to any other states, even where agreements
have been made, informally or formally, for the reciprocal
exchange of state tax information. Also, nongovernment
organizations, such as universities or public interest
organizations performing research, cannot have access to taxpayer
information. Statutes that authorize disclosure of taxpayer
information do not authorize further disclosures. Unless IRC
section 6103 provides for further disclosures by the agency, the
agency cannot make such disclosures. Each agency must have its own
exchange agreement with IRS or with the Social Security
Administration (SSA). When an agency is receiving data under more
than one section 6103 authorization, each exchange or release of
taxpayer information must have a separate agreement. An agency's
records of the taxpayer information it requests should include
some account of the result of its use or why the information was
not used. If an agency receiving taxpayer information on a
continuing basis finds it is receiving information that, for any
reason, it is unable to utilize, it should contact IRS to modify
the request. Federal, state, and local agencies authorized under
IRC section 6103 to Recordkeeping receive taxpayer information
are required by IRC section 6103 (p)(4)(A) to Requirements
establish a permanent system of standardized records of requests
made by or to them for disclosure of the information. The records
are to be maintained for 5 years or for the applicable records
control schedule, whichever is longer. When taxpayer information
is received in electronic form, authorized employees of the
recipient agency must be responsible for securing magnetic tapes
or cartridges before processing and ensuring that the proper
acknowledgment form is signed and returned to IRS. Tapes Page 42
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VI
Summary of Tax Information Security Guidelines for Federal, State,
and Local Agencies containing federal taxpayer information, any
hard-copy printout of a tape, or any file resulting from the
processing of a tape is to be recorded in a log that identifies
(1) date received; (2) reel or cartridge control number contents;
(3) number of records; (4) movement; and (5) if disposed of, the
date and method of disposition. Taxpayer information, other than
that in electronic form, must be maintained by (1) taxpayer name;
2) tax year(s); (3) type of tax return or return information; (4)
reason for the request; (5) date requested; (6) date received; (7)
exact location of the taxpayer information; (8) who has had access
to the data; and (9) if disposed of, the date and method of
disposition. If the agency has the authority to make further
disclosures, information disclosed outside the agency must be
recorded on a separate list that reflects to whom the disclosure
was made, what was disclosed, and why and when it was disclosed.
IRS has categorized taxpayer and privacy information as high-
security Secure Storage items. Security for a document, item,
or an area may be provided by locked containers of various types,
vaults, locked rooms, locked rooms with reinforced perimeters,
locked buildings, guards, electronic security systems, fences,
identification systems, and control measures. The required
security for taxpayer information received depends on the
facility, the function of the agency, how the agency is organized,
and what equipment is available. Agencies receiving taxpayer
information are required to establish a uniform method of
protecting data and items that require safeguarding. The Minimum
Protection Standards System, which is utilized by most agencies,
has been designed to provide agencies with a basic framework of
minimum-security requirements. Since some agencies may require
additional security measures, they should analyze their individual
circumstances to determine the security needs at their facility.
Care must be taken to deny access to areas containing taxpayer
information during normal working hours. This can be accomplished
by restricted areas, security rooms, or locked rooms. In addition,
taxpayer information in any form (computer printout, photocopies,
tapes, notes, etc.) must be protected during nonworking hours.
This can be done through a combination of methods, including a
secured or locked perimeter or secured area. Page 43
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VI
Summary of Tax Information Security Guidelines for Federal, State,
and Local Agencies When it is necessary to move taxpayer
information to another location, plans must be made to properly
protect and account for all of the information. Taxpayer
information must be in locked cabinets or sealed packing cartons
while in transit. Accountability should be maintained to ensure
that cabinets or cartons do not become misplaced or lost. The
handling of taxpayer information and tax-related documents must be
such that the documents do not become misplaced or available to
unauthorized personnel. Only those employees who have a need to
know and to whom disclosures may be made under the provisions of
the statute should be permitted access to information. In the
event that taxpayer information is hand-carried by an individual
in connection with a trip or in the course of daily activities, it
must be kept with that individual and protected from unauthorized
disclosure. Data stored and processed by computers and magnetic
media should be physically secured and controlled in a restricted
access area. If the confidentiality of the taxpayer information
can be adequately protected, alternative work sites, such as
employees' homes or other nontraditional work sites, can be used.
Despite location, taxpayer information remains subject to the same
safeguard requirements and the highest level of attainable
security. Agencies are required by IRC 6103(p)(4)(C) to restrict
access to taxpayer Restricting Access to information only to
persons whose duties or responsibilities require Taxpayer
Information access. Taxpayer information should be clearly
labeled "federal tax information" and handled in such a manner
that it does not become misplaced or available to unauthorized
personnel. Access to taxpayer information must be strictly on a
need-to-know basis. Information must never be indiscriminately
disseminated, even within the recipient agency. Agencies must
evaluate the need for taxpayer information before the data are
requested or disseminated. An employee's background and security
clearance should be considered when designating authorized
personnel. No person should be given more taxpayer information
than is needed to perform his or her duties. To avoid inadvertent
disclosures, it is recommended that taxpayer information be kept
separate from other information to the maximum extent possible. In
situations where physical separation is impractical, the file
should be clearly labeled to indicate the taxpayer information is
Page 44 GAO-GGD-99-164 Safeguarding
Taxpayer Information Appendix VI Summary of Tax Information
Security Guidelines for Federal, State, and Local Agencies
included and the file should be safeguarded. Any commingling of
data on tapes should be avoided. Processing of taxpayer
information in magnetic media format, microfilms, photo
impressions, or other formats should be performed by agency- owned
and -operated facilities, or contractor or agency shared
facilities. All systems that process taxpayer information must
meet the provisions of OMB Circular A-130, appendix III and
Treasury Directive Policy 71-10. The Department of Defense Trusted
Computer System Evaluation Criteria (DOD 5200.28-STD), commonly
called the "Orange Book," should be used as the basis for
establishing systems that process taxpayer information. All
computer systems processing, storing, and transmitting taxpayer
information must have computer access protection controls
(controlled access protection level C-2). To meet C-2
requirements, the operating security features of the system must
have (1) a security policy, (2) accountability, (3) assurance, and
(4) documentation. Agencies should assign overall responsibility
to an individual (security officer) who is knowledge about
information technology and applications. This individual should be
familiar with technical controls used to protect the system from
unauthorized entry. The two acceptable methods of transmitting
taxpayer information over telecommunications devices are
encryption and the use of guided media. Encryption involves the
altering of data objects in a way that the objects become
unreadable until deciphered. Guided media involves the use of
protected microwave transmissions or the use of end-to-end fiber
optics. Connecting the agency's computer system to the Internet
will require "firewall" protection to reduce the threat of
intruders accessing data files containing taxpayer information.
Agencies receiving taxpayer information from IRS are also required
to conduct internal inspections. The purpose of these inspections
is to ensure that adequate safeguard and security measures are
maintained. Agencies should submit copies of these inspections to
IRS with their annual Safeguard Activity Report. IRC section 6103
(p)(4)(E) requires agencies receiving taxpayer Safeguard Reporting
information to file a report that describes the procedures
established and and Review used by the agency for
ensuring the confidentiality of the information received from IRS.
The Safeguard Procedures Report is a record of how Requirements
Page 45 GAO-GGD-99-164 Safeguarding
Taxpayer Information Appendix VI Summary of Tax Information
Security Guidelines for Federal, State, and Local Agencies
taxpayer information is to be processed and protected from
unauthorized disclosure. Agencies should submit a new Safeguard
Procedures Report every 6 years or whenever significant changes
occur in their safeguard program. Agencies must file an annual
Safeguard Activity Report, which advises IRS of changes to the
procedures or safeguards described in the Safeguard Procedures
Report. The Safeguard Activity Report also (1) advises IRS of any
future actions that will affect the agency's safeguard procedures,
(2) summarizes the agency's current efforts to ensure the
confidentiality of the taxpayer information, and (3) certifies
that the agency is protecting taxpayer information in accordance
with IRC section 6103 requirements and the agency's own security
requirements. A safeguard review is an on-site evaluation of the
use of federal tax information received from IRS and the measures
used by the receiving agency to protect that data. IRS conducts
on-site reviews of agency safeguards regularly. Reviews of state
and local agencies are conducted by IRS District Disclosure
personnel. Reviews of federal agencies and state welfare agencies
are conducted by the IRS Office of Governmental Liaison and
Disclosure, Office of Safeguards. IRS safeguard reviews cover the
six requirements of IRC section 6103(p)(4), which are (1)
recordkeeping, (2) secure storage, (3) restricting access, (4)
other safeguards, (5) reporting requirements, and (6) disposal.
Agencies are required by IRC section 6103(p)(4)(F) to take certain
actions Disposal of Taxpayer upon completion of their use of
taxpayer information in order to protect Information
its confidentiality. Agency officials and employees should either
return the information, and any copies, or make the information
"undisclosable" and include in the agency's annual report a
description of the procedures used. If the agency elects to return
the information, a receipt process should be used. Taxpayer
information should never be provided to agents or contractors for
disposal unless authorized by the IRC. Page 46
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
Examples of Deficiencies Found During IRS' Reviews of Agencies'
Safeguarding Procedures The Internal Revenue Service (IRS)
routinely conducts on-site reviews of agencies' safeguard
procedures to ensure that the procedures fulfill IRS requirements
for protecting taxpayer information from unauthorized disclosure.
After completing the review, IRS prepares a report of its findings
and recommendations and sends the report to the agency for
comment. Upon receiving the agency's comments, IRS annotates its
report to indicate whether it accepts responses as correcting any
discrepancies reported. The following excerpts are examples of the
findings, discussions, Case Examples recommendations, agency
responses, and IRS comments found in recent IRS reports of
safeguard reviews. Case One Finding The agency permitted
a number of contractors to have access to return information. Some
of the contractors are authorized to have access, while others are
not. Also, when contractor access was authorized, the agency was
not always including "safeguarding" clauses in all contracts.
Discussion The agency uses hundreds of contractors. Internal
Revenue Code (IRC) section 6103 generally does not authorize
contractors to have access to federal taxpayer information.
Certain exceptions exist, such as section 6103(n), which permits
contracts for tax administration purposes, and section 6103(m)(2)
and (7), which permit disclosures for the collection of federal
debt and for the mailing of personal earnings and benefits
estimate statements, respectively. However, there is not an
exception for the purposes of administering the agency
responsibilities under the act, nor for most other IRC section
6103 authorized disclosures. The agency uses contractors for the
printing of the personal earnings and benefits estimate statements
and has included a "safeguarding" clause, which requires that the
contractor's employees be made aware of the taxpayer information,
its restricted access and use, and the penalty provisions for
unauthorized access or use. The agency also uses a contractor for
developing microfilm with taxpayer information. This contractor is
authorized access, but the contract does not contain
"safeguarding" language relating to taxpayer information. It does
have confidential clauses relating to the Privacy Act provisions.
The agency has also contracted out for the disposal of the paper
Form W- 2s and W-3s received. An earlier contract allowed for the
contractor to shred the material to 2-inch strips or less, which
does not meet the IRS Page 47 GAO-GGD-99-
164 Safeguarding Taxpayer Information Appendix VII Examples of
Deficiencies Found During IRS' Reviews of Agencies' Safeguarding
Procedures required standard of 5/16-inch or less for shredding.
The current contract states that all material will be totally
destroyed beyond legibility or reconstruction through shredding,
maceration, or pulping. However, a visit to the contractor's site
revealed that the contractor is shredding material, but not always
to the original 2-inch requirement. The required "safeguarding"
clauses are not in the contract, and the employer is not advising
his employees of the confidentiality and penalties associated with
accessing taxpayer information. Many other storage, retrieval, and
disposal activities are contracted out by the agency. Two units of
the agency use contractors to conduct most of the activities at
their facilities, where beneficiary files (with taxpayer
information) are stored in open boxes. This is also true of the
records center that the agency contracts with to store, dispose
of, and retrieve millions of beneficiary files. Other units of the
agency are also contracting out for disposition of information.
IRC section 6103 does not authorize these contractors to have
access to taxpayer information, which they do. Recommendation
In order to comply with IRC section 6103 and with IRS standards,
the agency needs to review its use of contractors. When
contractors are authorized to have access to taxpayer information,
the agency needs to ensure that "safeguarding" clauses are
included in the contracts. When contractors are not authorized
access to this information, the agency needs to ensure that it is
not permitting such access. Specific examples include * adding
the safeguarding clauses to the microfilm development contract; *
adding the safeguarding clauses to the contract for the disposal
of paper return information, mainly W-2s and W-3s; * ensuring
that disposal methods meet IRS standards; * developing policies
and procedures to ensure that contractors who are not authorized
to have access do not have access; and * making units and field
offices aware of "unauthorized access" by contractors. Agency
Response The agency agreed that safeguarding clauses need to
be included in contracts when contractors are authorized to have
access to taxpayer information and that contractors should not
have access unless authorized. IRS Comment IRS was still
being reviewing this agency's safeguard report and had not
finalized its comments at the time we prepared our report. Page 48
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
Examples of Deficiencies Found During IRS' Reviews of Agencies'
Safeguarding Procedures Case Two Finding The
recordkeeping system at the agency's field offices does not meet
all of the statutory requirements for tax information
accountability. Discussion When federal tax returns or
return information are received, agencies are required to maintain
a record of * taxpayer name, * tax year(s), * type of
information, * reason for request, * date requested, * date
received, * exact location of data, and * who has had access to
the data. Further, if and when the data are disposed of, agencies
are required to maintain a record of the date and method of
disposition. Agency field offices maintain a system of records for
tracking documents and evidence obtained during a criminal
investigation. Returns and return information are generally placed
in an evidence envelope and associated with the case files, which
are kept in the office's filing area. The envelope is annotated as
to contents and any additional descriptive information the case
agent may write down. The agency's system of standardized records
contained many of the required items listed above, but not all of
them. Further, tax documents controlled by the agency's seizure
team unit may not necessarily show who has had access to the
information. Recommendation Since information used to track
returns and return information is dependent upon information
furnished by the case agent, the agency should ensure that the
agents are aware of the elements required to meet the statutory
requirements for tracking federal tax data. Also, the seizure team
unit may wish to consider using some type of "charge-out" form to
record accesses to tax information. Agency Response The
agency uses a central recordkeeping system for maintaining all
investigative files. The system is outlined in the Federal
Register. During IRS' review, access to information by the IRS
team was limited to the federal tax return and return information
contained in the evidence envelope, and not to the entire file.
Information regarding the taxpayer name, tax year(s), reasons for
request, and data requested is contained in Page 49
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
Examples of Deficiencies Found During IRS' Reviews of Agencies'
Safeguarding Procedures the case file and supplied to IRS during
the request for the information. The date received and type of
information is maintained in the evidence log. Access to case
information is restricted based on the need-to-know and to
individuals having a file on the case. Agency procedures used for
controlling access to federal tax return and return information
within the seizure team unit are the same procedures used for
investigative information. Information is restricted to
individuals with a role in the asset forfeiture. IRS Comment
Along with the agency's response, the appropriate Federal Register
cite was provided. The agency's response was accepted. Case Three
Finding Agency employees that have access to federal
tax data are not aware of the criminal and civil penalties that
can be imposed for unauthorized disclosure of the data. Discussion
IRS Publication 1075 requires that, as part of an agency's
employee awareness program, each employee that has access to
federal tax data should receive copies of IRC sections 7213(a) and
7431, which describe the criminal and civil penalties applicable
to the unauthorized disclosure of federal tax data. In addition,
employees must be advised at least annually of these provisions.
Personnel that IRS' review team talked with could not recall
receiving copies of the IRC penalty provisions. Employees receive
periodic reminders about protecting sensitive information;
however, they are not specifically reminded of the provisions of
IRC sections 7213(a) and 7431. Recommendation All employees
that are authorized to have access to federal tax data should
receive a copy of IRC section 7213(a) and 7431, and they should be
reminded at least annually of the criminal and civil penalties
that can be imposed under the IRC for the unauthorized disclosure
of federal tax data. Agency Response Although employees were
not specifically aware of the penalties for unauthorized
disclosure of federal tax data as contained in the IRC, agency
employees knew about the penalties for unauthorized disclosure of
information contained in investigative files. IRS Comment
The revised IRS Publication 1075 now contains penalty provisions
in exhibits 3 and 4. Along with the agency response, IRS received
a copy of Security Bulletin 96-03 with attachments A-2 and A-3,
with instructions that the information in the document be reviewed
annually by all personnel Page 50
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
Examples of Deficiencies Found During IRS' Reviews of Agencies'
Safeguarding Procedures who have access to tax return and return
information provided to the agency by IRS. Observance of Security
Bulletin 96-03 will satisfy the IRS requirement. Case Four Finding
The last Safeguard Activity Report for this agency was dated June
29, 1995-2 years before the review. Also, the report did not
contain the information as required in IRS Publication 1075.
Additionally, IRS records showed the last Safeguard Procedures
Report was submitted in 1988. Discussion The statute
requires reports to be furnished to IRS describing the procedures
established and utilized to ensure the confidentiality of tax data
received from IRS. After the submission of the Safeguard
Procedures Report, a written Safeguard Activity Report is to be
submitted annually to give information regarding the agency's
safeguard program. The Safeguard Procedures Report should be
updated as changes occur, and a new report submitted when
warranted. Recommendation A Safeguard Activity Report must be
submitted to IRS no later than January 31 each year. The report
must contain the required information as shown in IRS Publication
1075. Because of changes within the agency since 1988, a current
Safeguard Procedures Report was requested. Agency Response The
agency responded that it would comply with all reporting
requirements. It assigned its internal audit unit the annual
inspection as required by IRS Publication 1075 and planned to
submit the Safeguard Activity Report. The agency submitted an
updated Safeguard Procedures Report. IRS Comment IRS
accepted the response, but explained to the agency that the
Safeguard Procedures Report was not a "one-time" report and that
it should be updated as changes occur and a new one submitted when
warranted. IRS requested that a revised version be submitted
reflecting changes made as a result of IRS' review. Case Five
Finding The agency's records did not list some
employees who were receiving and using taxpayer information to
determine Medicaid eligibility. Discussion The Deficit
Reduction Act of 1984 requires states to have an income and
eligibility verification system for use in administering certain
benefits Page 51 GAO-GGD-99-164
Safeguarding Taxpayer Information Appendix VII Examples of
Deficiencies Found During IRS' Reviews of Agencies' Safeguarding
Procedures programs. State welfare agencies are required to obtain
and use unearned income data from IRS and other wage and income
data from SSA in the verification process of these benefits
programs. Accordingly, IRC section 6103 authorizes the disclosure
of taxpayer information to federal, state, and local agencies by
IRS or SSA for use in the administration of these benefits
programs. As a condition of receiving taxpayer information, state
welfare agencies are required to maintain a permanent system of
standardized records that documents all requests for, receipt of,
and disclosures of taxpayer information made to or by the
agencies. During its review of this agency, IRS found that, while
some employees acknowledged using taxpayer information, the
agency's records did not list the employees as having received
taxpayer information. IRS found that taxpayer information, in the
form of a printout, was being disclosed to Medicaid technicians
who are stationed at various state hospitals. The technicians
receive the information to determine Medicaid eligibility for
applicants who were hospitalized. Upon receipt from the agency's
mailroom, the printout is accompanied by an acknowledgment form
that employees must sign, indicating receipt of taxpayer
information. IRS found that technicians were properly signing the
acknowledgment form and returning it to the mailroom to indicate
receipt of the information. However, the agency's records did not
reflect that taxpayer information was being disclosed from the
agency to its employees located at these various state hospitals.
Recommendation The state hospitals that get taxpayer
information should be included so that the agency's records
reflect a complete and accurate listing of all requests, receipts,
and disclosures of taxpayer information. Agency Response The
Medicaid technicians are stationed at the state hospitals at
various times. For this reason, any disclosure of taxpayer
information to these hospitals will be managed by an agency
coordinator. To improve recordkeeping, the coordinator will
provide a listing of the disclosures, and this list, along with
the agency acknowledgment forms, will be maintained in the
standardized records. The General Services Mail and Distribution
Manager will ensure that the records are received. IRS Comment
Agency's response was acceptable. Page 52
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VII
Examples of Deficiencies Found During IRS' Reviews of Agencies'
Safeguarding Procedures Table VII.1 summarizes some of the other
deficiencies found during IRS' Other Deficiencies
on-site safeguard reviews of federal, state, and local agencies.
Table VII.1: Examples of Agency Deficiencies Found During IRS'
Safeguard Reviews General category Specific
deficiency noted Maintaining system of standardized No system
exists for ensuring that all keys to secure areas are accounted
for or that access to keys records is
restricted. No records exist of when taxpayer information was
received and destroyed, or of how the information was destroyed.
Maintaining secure storage Taxpayer information locked
in the supervisor's office, but not in locked containers or file
cabinets, which would properly protect the information from
inadvertent or unauthorized disclosure. Agency mailroom not secure
during nonduty hours, and employees are leaving taxpayer
information unsecured, in unlocked containers. No reconciliation
of transmittal documents to actual receipts and shipments of
federal return information. There was not adequate protection for
tax information. There was no agency requirement that containers
be locked, and some containers cannot be locked. There was not a
specific individual responsible for physical security.
Restricting/limiting access Ground floor entrances were
not locked during office hours, and there was a need for "Employee
Only" signs. IRS tapes and income and eligibility verification
system documents were transported via unsecured courier service.
Tax information was combined with nontax information and
accessible by other employees not directly involved in program.
Several federal tax documents were found that were not labeled as
such. Agency was sharing taxpayer information with other state
agencies and contractors that are not authorized to receive
information. Disposal of taxpayer information Agency was using
an unauthorized method of destroying taxpayer information.
Existing procedures for repairs to equipment do not appear to
address removal of federal return information before repairs are
made. Agency was not utilizing proper destruction procedures for
taxpayer information that is no longer being used. Computer
security Computer systems containing tax
information do not display warning banners reminding employees of
safeguarding requirements and associated penalties. Agency was not
promptly removing from the system employees that no longer needed
access to taxpayer information. Taxpayer data was not transmitted
through secure communication lines to prevent unauthorized use or
access. Unsecured dial-in modems were being used for taxpayer
information on agency systems, and information on the mainframe
was not adequately restricted. Other safeguards
Employees were not properly trained on all aspects of safeguarding
tax information. Some were not aware of the civil and criminal
penalties associated with unauthorized disclosure or of the
Taxpayer Browsing Act. Internal security inspections were not
conducted, or the results were not documented. There was no
documentation of corrective actions, if any were taken. The agency
needs to post signs and send memos to remind employees of their
responsibility to safeguard federal tax information. Source: IRS
Office of Safeguards. Page 53 GAO-
GGD-99-164 Safeguarding Taxpayer Information Appendix VIII
Staffing Levels for IRS' Office of Safeguards Listed below are the
staffing levels, as of June 1999, for IRS' national and district
offices that are responsible for IRS' safeguarding program. In
addition to overseeing the safeguarding program, the district
offices have responsibilities for a variety of other disclosure
activities. These activities include, among other things,
conducting disclosure awareness seminars for state and local
agency personnel, processing Freedom of Information Act and
Privacy Act requests, processing ex parte orders for grand jury or
federal criminal investigations, testifying in federal court to
certify that certain documents are true copies of tax return
information, and reviewing subpoenas served to IRS personnel to
advise them of what they can and cannot disclose in court. Number
of staff Office
Professional Support Total National Office of Safeguards
12 12 I Midstates Region
3 3 1 Arkansas-Oklahoma District
415 2 Houston Districta
5 5 3 Illinois District
92 11 4 Kansas-Missouri District
718 5 Midwest District
11 2 13 6 North Central District
8 8 7 North Texas Districta
617 8 South Texas District
516 Regional subtotal 58
8 66 II Northeast Region
3 3 9 Brooklyn Districta
4 4 10 Connecticut-Rhode Island District
4 4 11 Manhattan District
314 12 Michigan District
5 5 13 New England District
9 9 14 New Jersey District
415 15 Ohio District
5 5 16 Pennsylvania District
617 17 Upstate New York District
415 Regional subtotal 47
4 51 III Southeast Region
4 4 18 Delaware-Maryland District
718 19 Georgia District
516 20 Gulf Coast District
819 21 Indiana District
4 4 22 Kentucky-Tennessee District
617 23 North Florida District
5 5 24 North-South Carolina District
516 25 South Florida Districta
415 26 Virginia-West Virginia District
5 5 Regional subtotal
53 6 59 (Continued) Page 54
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix VIII
Staffing Levels for IRS' Office of Safeguards Number of staff
Office Professional
Support Total IV Western Region
3 3 27 Central California District
617 28 Los Angeles District
617 29 Northern California District
11 2 13 30 Pacific-Northwest District
10 1 11 31 Rocky Mountain District
91 10 32 Southern California District
8 8 33 Southwest District
7 7 Regional subtotal
60 6 66 Total
230 24 254 aNot responsible for any safeguard review
activities. Source: IRS' Office of Safeguards. Page 55
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IX
Questionnaires Used to Survey Federal, State, and Local Agencies
Receiving Taxpayer Information Figure IX.1: Survey of Federal
Agencies Receiving Taxpayer Data Page 56 GAO-GGD-
99-164 Safeguarding Taxpayer Information Appendix IX
Questionnaires Used to Survey Federal, State, and Local Agencies
Receiving Taxpayer Information Page 57
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IX
Questionnaires Used to Survey Federal, State, and Local Agencies
Receiving Taxpayer Information Figure IX.2: Survey of State and
Local Agencies Receiving Taxpayer Data Page 58
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix IX
Questionnaires Used to Survey Federal, State, and Local Agencies
Receiving Taxpayer Information Page 59
GAO-GGD-99-164 Safeguarding Taxpayer Information Appendix X
Comments From the Internal Revenue Service Page 60 GAO-GGD-99-
164 Safeguarding Taxpayer Information Appendix XI GAO Contacts and
Staff Acknowledgments Cornelia Ashby, (202) 512-9110 GAO Contacts
Joseph Jozefczyk, (202) 512-9110 In addition to those named above,
Michelle Bowsky, John Gates, Tim Acknowledgments Outlaw, Anne
Rhodes-Kline, Kirsten Thomas, and Carrie Watkins made key
contributions to this report. Page 61
GAO-GGD-99-164 Safeguarding Taxpayer Information Page 62 GAO-
GGD-99-164 Safeguarding Taxpayer Information Page 63 GAO-GGD-
99-164 Safeguarding Taxpayer Information Page 64 GAO-GGD-99-164
Safeguarding Taxpayer Information Ordering Information The first
copy of each GAO report and testimony is free. Additional copies
are $2 each. Orders should be sent to the following address,
accompanied by a check or money order made out to the
Superintendent of Documents, when necessary. VISA and MasterCard
credit cards are accepted, also. Orders for 100 or more copies to
be mailed to a single address are discounted 25 percent. Order by
mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC
20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts.
NW) U.S. General Accounting Office Washington, DC Orders may also
be placed by calling (202) 512-6000 or by using fax number (202)
512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of
newly available reports and testimony. To receive facsimile copies
of the daily list or any list from the past 30 days, please call
(202) 512-6000 using a touch-tone phone. A recorded menu will
provide information on how to obtain these lists. For information
on how to access GAO reports on the INTERNET, send e-mail message
with "info" in the body to: [email protected] or visit GAO's World
Wide Web Home Page at: http://www.gao.gov United States General
Accounting Office Bulk Rate Washington, D.C. 20548-0001
Postage & Fees Paid GAO Permit No. G100 Official Business Penalty
for Private Use $300 Address Correction Requested (268874)
*** End of document. ***