The Internal Revenue Service has not established effective processes to ensure that its Privacy Impact Assessments are completed in a timely way, and are updated and made publicly available, with privacy policies posted on public Web sites for all required systems and collections of information, according to a new government report.
The report, from the Treasury Inspector General for Tax Administration, noted that the Privacy Act of 1974 regulates what personal information the federal government can collect about private individuals and how that information can be used. The E-Government Act of 2002 provides additional protection for personal information by requiring agencies to conduct Privacy Impact Assessments. The PIA is a process for examining the risks and ramifications of using information technology to collect, maintain, and disseminate information about members of the public and agency employees.
The report acknowledged that the IRS recognizes that privacy protection is both a personal and fundamental right of all taxpayers and employees. TIGTA’s audit was initiated at the IRS request to evaluate its implementation of the privacy provisions of the E-Government Act of 2002. In addition, the Consolidated Appropriations Act of 2005, Section 522, requires the Inspector General of each agency to evaluate privacy and data protection procedures.
Further, in December 2011, the IRS implemented the Privacy Impact Assessment Management System to automate the process of completing PIAs in a more efficient and less time-consuming way. However, TIGTA found that several key processes were not effectively automated. For example, privacy analysts must view numerous individual screens rather than scrolling through the information seamlessly, responses in the system are not grouped by topic or subject matter, and the automated e-mail notification function is not consistent.
“The privacy of taxpayer information is essential to taxpayer confidence in the fairness and integrity of the American system of tax administration,” said TIGTA Inspector General J. Russell George in a statement. “It is imperative that the IRS adopt our recommendations to ensure the effectiveness of this important initiative.”
TIGTA made 11 recommendations to the IRS, including that the IRS establish an annual reconciliation of PIA inventories with information systems and collections of information in the current production environment. The IRS should also document and publicize the customer survey PIA completion process, TIGTA recommended, and establish a PIA inventory control process to identify and review systems every three years as required. The agency should also automate the notification process to alert responsible officials when new or existing PIAs are required to be posted to the IRS public Web site; and ensure that current and complete standard operating procedures are established and maintained for all PIA processes.
The IRS agreed with nine of the recommendations but indicated that it had already implemented two recommendations by overhauling the PIAMS template and involving privacy analysts and other users in requirements gathering and testing of PIAMS functionality. TIGTA did not see evidence of these corrective actions and continues to believe that the PIAMS version, at the time of TIGTA’s review, could be improved to effectively automate the key privacy impact assessment processes.
“The IRS deployed the PIAMS to eliminate paper PIAs and reduce burden for all users,” wrote Rebecca A. Chiaramida, director of privacy, governmental liaison and disclosure at the IRS. “We have demonstrated the system to several other federal agencies, and Treasury plans to use the PIAMS as a model for PIA management in its other bureaus.”