Treasury Inspector General for Tax Administration

Office of Audit

INCREASED MANAGEMENT OVERSIGHT OF THE SENSITIVE BUT UNCLASSIFIED WASTE DISPOSAL PROCESS IS NEEDED TO PREVENT INADVERTENT DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION

Issued on May 8, 2009

Highlights

Highlights of Report Number:  2009-30-059 to the Internal Revenue Service Chief, Agency-Wide Shared Services.

IMPACT ON TAXPAYERS

In November 2007, the Federal Trade Commission reported that, for the eighth year in a row, identity theft was the number one consumer complaint nationwide and that each year it affects more than 10 million Americans.  Consumers have lost more than $45 billion to identity thieves.  Taxpayers need to be assured that the Internal Revenue Service (IRS) is taking every precaution to protect their private information from inadvertent disclosure. 

WHY TIGTA DID THE AUDIT

More than 130 million taxpayers entrust the IRS with sensitive but unclassified (SBU) financial and personal data, much of it on paper documents.  The objective of this review was to determine whether the IRS has established effective controls to ensure that the security measures related to the disposal of tax and other SBU information are adequate to prevent disclosure of personally identifiable information (PII).

WHAT TIGTA FOUND

Specific responsibilities associated with the SBU waste disposal program need to be clearly defined and delineated.  In addition, the IRS needs greater standardization over the development and administration of contracts for the disposal of SBU waste.  Contracts for disposing of SBU waste and PII did not contain consistent specifications for key services.  Further, oversight to ensure vendors complied with contract specifications or other IRS requirements was not adequate.  TIGTA also found that policies related to the protection and disposal of paper documents containing PII need to be more widely communicated to employees and contractors.  At every location visited, documents containing PII or other SBU information were found in regular waste containers and/or dumpsters.  If security policies are not adequately communicated and adhered to, sensitive taxpayer and employee data are at an increased risk of disclosure or other improper usage.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief, Agency-Wide Shared Services, work with the Deputy Commissioner for Operations Support, as necessary, to establish authority and responsibility at the national level for the disposal and destruction of SBU waste/ PII and establish policies and procedures to address internal control weaknesses.  The Chief, Agency-Wide Shared Services, should ensure that all SBU waste contracts include the Federal security requirements for SBU waste/PII disposal and destruction.  Additionally, improvements to oversight and management of SBU waste disposal contracts should include standardization of critical elements and the creation of a national database of all IRS facilities, the contracts covering SBU waste disposal, and the contractors that serve them.  Further, the Chief should provide complete, updated, and accurate guidance and education to all IRS management, employees, and contractors involved in any aspect of the collection, disposal, or destruction of SBU waste/PII.

 

IRS management agreed with all of our recommendations.  The IRS has taken actions to improve the SBU Waste Disposal Program, including enhanced oversight of SBU/PII waste disposal contracts.  Management has developed Standard Operating Procedures to allow for consistent oversight of the National Document Destruction Contract and the handling of SBU/PII information.  Management has also created a Performance Work Statement and Performance Requirements Summary to provide consistent national policies regarding critical elements such as the maintenance, storage, and updating of background investigations and disclosure safeguards and certificates of destruction.  Responsibilities for monitoring vendor adherence to contract requirements have been clearly defined and assigned.  In addition, the IRS has revised the Internal Revenue Manual on Information Protection to include SBU and PII standards and terminology.  Finally, the IRS plans to develop a communications plan to ensure continued awareness around policies and procedures for the destruction of PII and SBU information for both employees and contractors. 

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2009reports/200930059fr.html. 

Email Address:   inquiries@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov