Treasury Inspector General for Tax Administration
Office of Audit
IMPROVEMENTS ARE NEEDED TO ENSURE THE EFFECTIVENESS OF THE PRIVACY IMPACT ASSESSMENT PROCESS
Issued on February 27, 2013
Highlights of Report Number: 2013-20-023 to the Internal Revenue Service Director, Privacy, Governmental Liaison, and Disclosure.
IMPACT ON TAXPAYERS
The Privacy Impact Assessment (PIA) process examines the risks and ramifications of using information technology to collect, maintain, and disseminate information in identifiable form about members of the public and agency employees. The IRS recognizes that privacy protection is both a personal and fundamental right of all taxpayers and employees.
WHY TIGTA DID THE AUDIT
This audit was initiated at the request of the IRS to evaluate its implementation of the privacy provisions of the E-Government Act of 2002, which requires agencies to conduct PIAs. In addition, the Consolidated Appropriations Act of 2005, Section 522, requires the Inspector General of each agency to evaluate privacy and data protection procedures. This review was part of our statutory requirements to annually review the adequacy and security of IRS technology and addresses the major management challenge of Security for Taxpayer Data and Employees.
WHAT TIGTA FOUND
The IRS has not established effective processes to ensure that the PIAs are completed timely, updated, and made publicly available and that privacy policies are posted on public websites for all required systems and collections of information. Further, in December 2011, the IRS implemented the Privacy Impact Assessment Management System (PIAMS) to automate the process of completing PIAs in a more efficient and less time‑consuming way. However, several key processes were not effectively automated. For example, privacy analysts must view numerous individual screens rather than scrolling through the information seamlessly, responses in the system are not grouped by topic or subject matter, and the automated e-mail notification function is not consistent.
WHAT TIGTA RECOMMENDED
The IRS agreed with nine of the recommendations but indicated that it had already implemented two recommendations by overhauling the PIAMS template and involving privacy analysts and other users in requirements gathering and testing of PIAMS functionality. TIGTA did not see evidence of these corrective actions and continues to believe that the PIAMS version, at the time of our review, could be improved to effectively automate the key privacy impact assessment processes.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
E-mail Address: TIGTACommunications@tigta.treas.gov
Phone Number: 202-622-6500