IRS Must Improve Privacy Impact Assessment Process, TIGTA Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

The Internal Revenue Service should improve its privacy systems and policies to protect taxpayer and employee information, the Treasury Inspector General for Tax Administration (TIGTA) said in a report released April 9.

TIGTA found that IRS has not established effective processes to ensure that its Privacy Impact Assessments (PIAs), which examine the risks and ramifications of using information technology to gather and disseminate information, are adequately timed, completed, updated, and made publicly available.

“The privacy of taxpayer information is essential to taxpayer confidence in the fairness and integrity of the American system of tax administration,” J. Russell George, Treasury Inspector General for Tax Administration, said in remarks released with the report.

The IRS Strategic Plan 2009-2013 emphasized the agency's aim to ensure the privacy and security of data and the safety of its employees, stating that IRS “will redouble [its] efforts to detect and prevent security threats,” the report noted. The Privacy Impact Assessments are a part of this effort, and all federal agencies are required to conduct them under the E-Government Act of 2002, the report said.

“Despite its commitment toward privacy and improvements … the IRS continues to face challenges in meeting legislative privacy requirements,” TIGTA said.

Among these challenges, TIGTA found that:

• PIAs were not been completed or updated for all systems or customer surveys where taxpayer or employee information was collected and maintained;

• PIAs have not been posted on IRS's public website;

• PIAs may not be completed and submitted for internal SharePoint collaboration sites;

• privacy notices have not been posted on all external websites; and

• key PIA processes have not been documented in standard operating procedures.



TIGTA made 11 recommendations to improve the PIA system. Among them were calls to:

• establish an annual reconciliation of PIA inventories with information systems and collections of information in the current production environment;

• document and publicize the customer survey PIA completion process; and

• automate the notification process to alert responsible officials when new or existing PIAs are required to be posted on the IRS public website.

“It is imperative that the IRS adopt our recommendations to ensure the effectiveness of this important initiative,” George added.

IRS agreed with nine of the recommendations but indicated it already implemented two recommendations by overhauling the Privacy Impact Assessment Management System (PIAMS) template, a series of web pages that allow IRS employees to input required PIAs online.

IRS also said it was involving privacy analysts and other users in requirements gathering and testing of PIAMS functionality, the report said.

TIGTA said it did not see evidence of these corrective actions and continues to believe the PIAMS version, at the time of TIGTA's review, could be improved to effectively automate the key PIA processes.

The report, “Improvements Are Needed to Ensure the Effectiveness of the Privacy Impact Assessment Process” (2013-20-023), is available at


Request Bloomberg Law: Privacy & Data Security