Treasury Inspector General for Tax Administration
April 9, 2013
TIGTA - 2013-11
Contact: David Barnes
WASHINGTON – The Internal Revenue Service (IRS) recognizes that privacy protection is both a personal and fundamental right of all taxpayers and employees. Its Privacy Impact Assessment (PIA) process examines the risks and ramifications of using information technology to collect, maintain, and disseminate information in identifiable form about members of the public and agency employees.
The IRS has not established effective processes to ensure that PIAs are completed timely, updated, and made publicly available and that privacy policies are posted on public websites for all required systems and collections of information, according to a new report issued publicly today by the Treasury Inspector General for Tax Administration (TIGTA).
TIGTA’s audit was initiated at the request of the IRS to evaluate its implementation of the privacy provisions of the E-Government Act of 2002, which requires agencies to conduct PIAs. In addition, the Consolidated Appropriations Act of 2005, Section 522, requires the Inspector General of each agency to evaluate privacy and data protection procedures.
Further, in December 2011, the IRS implemented the Privacy Impact Assessment Management System (PIAMS) to automate the process of completing PIAs in a more efficient and less time-consuming way. However, TIGTA found that several key processes were not effectively automated. For example, privacy analysts must view numerous individual screens rather than scrolling through the information seamlessly, responses in the system are not grouped by topic or subject matter, and the automated e-mail notification function is not consistent.
“The privacy of taxpayer information is essential to taxpayer confidence in the fairness and integrity of the American system of tax administration,” said J. Russell George, the Treasury Inspector General for Tax Administration. “It is imperative that the IRS adopt our recommendations to ensure the effectiveness of this important initiative,” George added.
TIGTA made 11 recommendations to the Director, Privacy, Governmental Liaison, and Disclosure, that included the following: 1) establish an annual reconciliation of PIA inventories with information systems and collections of information in the current production environment; 2) document and publicize the customer survey PIA completion process; 3) establish a PIA inventory control process to identify and review systems every three years as required; 4) automate the notification process to alert responsible officials when new or existing PIAs are required to be posted to the IRS public website; and 5) ensure that current and complete standard operating procedures are established and maintained for all PIA processes.
The IRS agreed with nine of the recommendations but indicated that it had already implemented two recommendations by overhauling the PIAMS template and involving privacy analysts and other users in requirements gathering and testing of PIAMS functionality. TIGTA did not see evidence of these corrective actions and continues to believe that the PIAMS version, at the time of TIGTA’s review, could be improved to effectively automate the key privacy impact assessment processes.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.