Treasury Inspector General for Tax Administration

Office of Audit

IMPROVEMENTS ARE NEEDED TO ENSURE THE EFFECTIVENESS OF THE PRIVACY IMPACT ASSESSMENT PROCESS

Issued on February 27, 2013

Highlights

Highlights of Report Number:  2013-20-023 to the Internal Revenue Service Director, Privacy, Governmental Liaison, and Disclosure.

IMPACT ON TAXPAYERS

The Privacy Impact Assessment (PIA) process examines the risks and ramifications of using information technology to collect, maintain, and disseminate information in identifiable form about members of the public and agency employees.  The IRS recognizes that privacy protection is both a personal and fundamental right of all taxpayers and employees.

WHY TIGTA DID THE AUDIT

This audit was initiated at the request of the IRS to evaluate its implementation of the privacy provisions of the E-Government Act of 2002, which requires agencies to conduct PIAs.  In addition, the Consolidated Appropriations Act of 2005, Section 522, requires the Inspector General of each agency to evaluate privacy and data protection procedures.  This review was part of our statutory requirements to annually review the adequacy and security of IRS technology and addresses the major management challenge of Security for Taxpayer Data and Employees.

WHAT TIGTA FOUND

The IRS has not established effective processes to ensure that the PIAs are completed timely, updated, and made publicly available and that privacy policies are posted on public websites for all required systems and collections of information.  Further, in December 2011, the IRS implemented the Privacy Impact Assessment Management System (PIAMS) to automate the process of completing PIAs in a more efficient and less time‑consuming way.  However, several key processes were not effectively automated.  For example, privacy analysts must view numerous individual screens rather than scrolling through the information seamlessly, responses in the system are not grouped by topic or subject matter, and the automated e-mail notification function is not consistent.

WHAT TIGTA RECOMMENDED

TIGTA made 11 recommendations to the Director, Privacy, Governmental Liaison, and Disclosure, that included the following:  1) establish an annual reconciliation of PIA inventories with information systems and collections of information in the current production environment; 2) document and publicize the customer survey PIA completion process; 3) establish a PIA inventory control process to identify and review systems every three years as required; 4) automate the notification process to alert responsible officials when new or existing PIAs are required to be posted to the IRS public website; and 5) ensure that current and complete standard operating procedures are established and maintained for all PIA processes.  TIGTA also recommended that IRS officials who develop third-party website information be directed to submit website proposal details and approval requests to the IRS New Media Governance Council and coordinate with website owners to post a link to the IRS privacy policy on these third-party websites.

The IRS agreed with nine of the recommendations but indicated that it had already implemented two recommendations by overhauling the PIAMS template and involving privacy analysts and other users in requirements gathering and testing of PIAMS functionality.  TIGTA did not see evidence of these corrective actions and continues to believe that the PIAMS version, at the time of our review, could be improved to effectively automate the key privacy impact assessment processes.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:  

http://www.treas.gov/tigta/auditreports/2013reports/201320023fr.html

E-mail Address:   TIGTACommunications@tigta.treas.gov

Phone Number:   202-622-6500

Website:   http://www.treasury.gov/tigta