oversight

Taxpayer Confidentiality: Federal, State, and Local Agencies Receiving Taxpayer Information

Published by the Government Accountability Office on 1999-08-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

GAO              Report to the Joint Committee on
                 Taxation, U.S. Congress



August 1999
                 TAXPAYER
                 CONFIDENTIALITY
                 Federal, State, and
                 Local Agencies
                 Receiving Taxpayer
                 Information




GAO-GGD-99-164
                                                                                         United States
                                                                             General Accounting Office
Washington, D.C. 20548                                                   General Government Division




                           B-282749

                           August 30, 1999

                           The Honorable Bill Archer
                           Chairman
                           The Honorable William V. Roth, Jr.
                           Vice Chairman
                           Joint Committee on Taxation

                           The concerns of citizens and Congress regarding individual rights to
                           privacy have made it important to assess the disclosure practices and
                           safeguards employed by the Internal Revenue Service (IRS) and other
                           federal, state, and local agencies to protect taxpayer information. Federal,
                           state, and local agencies are authorized under Internal Revenue Code
                           (IRC) section 6103 to receive from IRS the taxpayer information they need
                           to assist in their administration and enforcement of laws. These agencies
                           are required to protect the confidentiality of the information they receive
                           and implement safeguards that are designed to prevent unauthorized
                           access, disclosure, and use.

                           Section 3802 of the IRS Restructuring and Reform Act of 1998 requires that
                           both the Joint Committee on Taxation and the Secretary of the Treasury
                           conduct a study of the scope and use of section 6103 provisions regarding
                           taxpayer confidentiality. To assist in this effort, you requested that we
                           provide you with information about

                         • which federal, state, and local agencies receive taxpayer information from
                           IRS (see apps. I and II);
                         • what type of information they receive (see apps. III and IV);
                         • how the taxpayer information is being used (see app. V);
                         • what policies and procedures the agencies are required to follow to
                           safeguard taxpayer information (see app. VI);
                         • how frequently IRS is to monitor agencies’ adherence to the safeguarding
                           requirements; and
                         • the results of IRS’ most recent monitoring efforts (see app. VII).

                           According to IRS, there were 37 federal and 215 state and local agencies
Results in Brief           that received, or maintained records containing, taxpayer information
                           under provisions of section 6103 during 1997 or 1998. The information that
                           the agencies received included, among other things, the taxpayers’ names,
                           Social Security numbers, addresses, and wages. The information came in a
                           variety of formats (i.e., paper copy, electronic databases, and tape



                           Page 1                          GAO-GGD-99-164 Safeguarding Taxpayer Information
B-282749




extracts). Some agencies received the information on a regular schedule
(i.e., monthly, quarterly, or annually). Others received the information on
an as-needed basis, such as while conducting criminal investigations.

Federal, state, and local agencies said they used taxpayer information for
one of several purposes, such as administering state tax programs,
assisting in the enforcement of child support programs, verifying eligibility
and benefits for welfare and public assistance programs, and conducting
criminal investigations.

Before receiving taxpayer information from IRS, agencies are required to
advise IRS how they intend to use the information and to provide IRS with
a detailed safeguard plan that describes the procedures established and
used by the agency for ensuring the confidentiality of the information they
want to receive. These safeguard plans are supposed to be updated every 6
years or if significant changes are made to the agencies’ procedures. IRS
Publication 1075, Tax Information Security Guidelines for Federal, State,
                      1
and Local Agencies, outlines what must be included in an agency’s
safeguard plan. Agencies are also required to submit annual reports to IRS
summarizing their efforts to safeguard taxpayer information and any minor
changes to their safeguarding procedures.

In addition to providing IRS with safeguard plans and annual reports,
agencies’ Offices of Inspector General (OIG) may also review internal
agency programs for safeguarding restricted or classified information. For
example, in March 1999, the Department of Veterans Affairs’ (VA) OIG
issued a report on its review of the Evaluation of VHA’s Income
Verification Match Program (Report No. 9R1-G01-054, Mar. 15, 1999).This
report outlined possible inappropriate requests for and subsequent use of
taxpayer information by VA’s Health Eligibility Center.

IRS conducts on-site reviews to ensure that agencies’ safeguard
procedures fulfill IRS requirements for protecting taxpayer information.
IRS’ National Office of Governmental Liaison and Disclosure, Office of
Safeguards, has overall responsibility for safeguard reviews to assess
whether taxpayer information is properly protected from unauthorized use
or access as required by the IRC and to assist in reporting to Congress.
Safeguard reviews are to be conducted every 3 years.

IRS’ safeguard reviews have identified discrepancies in agency safeguard
procedures and made recommendations for corrections. The reviews have
1
    Publication 1075 has been revised periodically, most recently in March 1999.




Page 2                                        GAO-GGD-99-164 Safeguarding Taxpayer Information
                        B-282749




                        uncovered problems with agency safeguarding procedures, ranging from
                        inappropriate access to taxpayer information by contractor staff to
                        administrative matters, such as the failure to properly document the
                        disposal of information.

                        IRS began exchanging federal taxpayer data with state tax administration
Background              agencies in the 1920s, but it was not until the Tax Reform Act of 1976 that
                        Congress declared federal tax returns and return information to be
                        confidential. The Tax Reform Act specified IRS’ responsibilities for
                        safeguarding taxpayer information against unauthorized disclosure while
                        authorizing IRS to share this information with state agencies for tax
                        administration purposes. Congress also authorized the sharing of taxpayer
                        information with child support programs to assist with enforcement, such
                        as locating individuals owing child support. In 1984, Congress authorized
                        IRS to share data to support federal and state administration of other
                                                                                    2
                        programs, such as Aid to Families With Dependent Children and Medicaid,
                        to assist in verifying eligibility and benefits.

                        Disclosures of federal taxpayer information to an agency are restricted to
                        the agency’s justified need for and use of such information. Unauthorized
                        inspection, disclosure, or use of taxpayer information is subject to civil
                        and criminal penalties.

                        The objective of this study was to provide the Committee with information
Objective, Scope, and   on how federal, state, and local agencies use the taxpayer information they
Methodology                                                          3
                        are authorized to obtain under section 6103. To meet our objective, we
                        met with officials in IRS’ Office of Governmental Liaison and Disclosure,
                        Office of Safeguards, and select IRS District Disclosure Offices. We also
                        reviewed IRS documentation of reports submitted by federal, state, and
                        local agencies on the safeguard procedures used to protect taxpayer
                        information. In addition, we reviewed IRS reports of its monitoring efforts
                        at these agencies.

                        IRS provided us with lists of federal, state, and local agencies that had
                        received taxpayer information during 1997 or 1998. We surveyed the
                        agencies, asking them under what authority they received taxpayer
                        information, how they received it, what they used the information for, and

                        2
                        The Aid to Families With Dependent Children program has been replaced by the Temporary
                        Assistance for Needy Families program.
                        3
                         Our study did not address disclosure of taxpayer information to agencies pursuant to taxpayer
                        consents under section 6103(c), which are not subject to the safeguard requirements of section
                        6103(p)(4).




                        Page 3                                    GAO-GGD-99-164 Safeguarding Taxpayer Information
B-282749




whether there were alternate sources of data they could use in lieu of
taxpayer information. We also asked them about IRS’ monitoring efforts
and to identify any safeguard deficiencies that have been noted during
recent internal or external reviews. Copies of our questionnaires are
reproduced in appendix IX.

We surveyed all of the federal agencies in the Washington, D.C.,
metropolitan area that IRS identified as having received taxpayer
information. The response rate was 100 percent from these agencies. In
some cases, we sent a questionnaire to more than one contact for a
particular agency. For example, for the Department of Labor, IRS
identified four separate components as receiving taxpayer information.
Thus, IRS gave us the names of four separate contact persons at Labor. We
mailed our questionnaire to 50 agency contact persons. In our cover letter,
we encouraged them to distribute copies of the questionnaire to all other
entities within the agency that received taxpayer information from IRS and
asked that an appropriate representative from those units return a
completed questionnaire.

Several agencies that had only one contact person listed by IRS returned
multiple questionnaires from different units within their agencies that use
taxpayer information. For example, the Department of Transportation had
only one contact person to whom we mailed our questionnaire, but staff in
the Department completed and returned 10 questionnaires. In total, we
received 98 questionnaires from the 50 agency contacts from whom we
requested information.

From the list IRS provided of 215 state and local entities that had received
taxpayer information, we drew a simple random probability sample of 35
entities. Each entity on the IRS list had an equal, nonzero probability of
being included in the sample. Our sample, then, is only one of a large
number of samples that we might have drawn because we followed a
probability procedure based on random selection. Each sample could have
provided different estimates; thus, we can express our confidence in the
precision of our particular sample’s results as a 95-percent confidence
interval. This is the interval that would contain the actual population value
for 95 percent of the samples we could have drawn. As a result, we are 95-
percent confident that each of the confidence intervals in this report will
include the true values in the study population.

We mailed questionnaires to the contact persons at each of the selected
entities. Like the federal agencies, some of the state and local agencies
completed more than one questionnaire. Thirty-four of the 35 state and



Page 4                          GAO-GGD-99-164 Safeguarding Taxpayer Information
                        B-282749




                        local agencies we surveyed returned at least one questionnaire, for a
                                                    4
                        response rate of 97 percent.

                        Given the broad scope of our study and the required time frame for
                        completion, our audit work focused on collecting and presenting the data
                        from the agencies and IRS. As agreed with your office, we did not verify
                        the information that we collected. We also did not evaluate the efforts of
                        IRS or the federal, state, and local agencies to safeguard taxpayer
                        information.

                        We performed our work at IRS’ National Office of Safeguards and select
                        IRS District Disclosure Offices. Our work was done between March and
                        August 1999 in accordance with generally accepted government auditing
                        standards.

                        We requested comments on a draft of this report from the Commissioner
                        of Internal Revenue. IRS provided written comments in an August 16, 1999,
                        letter, which is reprinted in appendix X. The comments are discussed near
                        the end of this letter.

                        According to IRS, there were 37 federal and 215 state and local agencies
Which Federal, State,   that received, or maintained records containing, taxpayer information
and Local Agencies      under provisions of IRC section 6103 during 1997 or 1998. We surveyed all
Receive Taxpayer        of the 34 federal agencies in the Washington, D.C., metropolitan area that
                        IRS identified as having received taxpayer information. In responding to
Information?            our questionnaire, 3 of the 34 federal agencies—Agency for International
                        Development, Department of Energy, and Environmental Protection
                        Agency—indicated that they did not receive any taxpayer information
                        during 1997 or 1998. In addition, two agencies—Equal Employment
                        Opportunity Commission and Securities and Exchange Commission—
                        indicated that they did not receive any taxpayer information during 1998.
                        Among these 34 federal agencies, however, there were several that had
                        more than one department or unit that utilized the taxpayer information
                        received.

                        From the list IRS provided of 215 state and local entities that were
                        receiving taxpayer information, we drew a simple random probability
                        sample of 35 entities. Only one of our sampled state and local entities—
                        Alabama Department of Human Resources—indicated that it did not
                        4
                         The one outstanding agency, Maryland Department of Human Resources, Child Enforcement Agency,
                        returned a questionnaire as we were processing this report. Because of the timing of when the
                        questionnaire was returned, we were unable to include this response in our summary of information of
                        state and local agencies.




                        Page 5                                    GAO-GGD-99-164 Safeguarding Taxpayer Information
                          B-282749




                          receive any taxpayer information in 1997, and all of them indicated that
                                                                         5
                          they had received taxpayer information in 1998.

                          According to IRS officials, they generally categorize the agencies into one
                          of the following:

                        • Child support agencies–IRS discloses certain tax return information to
                          federal, state, and local child support enforcement agencies.
                        • Welfare/public assistance agencies–IRS discloses certain tax return
                          information to federal, state, and local agencies administering
                          welfare/public assistance programs, such as food stamps and housing.
                        • State tax administration/law enforcement agencies–IRS discloses
                          certain tax return information to federal, state, and local agencies for tax
                          administration and the enforcement of state tax laws.
                        • Federal agencies–IRS discloses certain tax return information to federal
                          agencies for certain other purposes.

                          The type of taxpayer information agencies receive varies in content,
What Type of Taxpayer     format, and frequency according to how agencies use the information.
Information Do            Agencies may receive paper copies of individual tax returns, electronic
Agencies Receive?         databases of IRS’ individual and business master files, or tape extracts
                          from these files. The information can include such things as the taxpayers’
                          names, Social Security numbers, addresses, or wages. Table 1 shows
                          examples of the different types of taxpayer information agencies receive.

                          As shown in table 1, agencies receive taxpayer information in a variety of
                          formats—for example, paper copy, electronic databases, and tape extracts.
                          Some agencies receive this information on a regular schedule—for
                          example, monthly, quarterly, or annually. Other agencies receive it on an
                          as-needed basis—for example, while conducting criminal investigations.




                          5
                           On the basis of the questionnaire responses, we estimate that between 0 and 9 percent of all state and
                          local entities on IRS’ list did not receive taxpayer information in 1998, and between 0 and 14 percent
                          did not receive taxpayer information in 1997.




                          Page 6                                     GAO-GGD-99-164 Safeguarding Taxpayer Information
                                          B-282749




Table 1: Examples of Types of Taxpayer
Information Received by Federal, State,   Taxpayer information                                           Format                 Frequency
and Local Agencies                        Individual and corporate income tax, estate tax, partnership, Paper copy              Upon request
                                          fiduciary, excise tax, and exempt organization audit reports
                                          Payer and payee information from W-2s, K-1s, Form 1099s,       Paper copy             Upon request
                                          and Form 5498
                                          Taxpayers’ mailing addresses                                   Paper copy             Upon request
                                          Information returns master file (SSN, name, address)           Tape                   Annual
                                          Individual master file extract (SSN, name, address, marital    Tape                   Annual
                                          status, exemptions, dependents, income, and return type)
                                          Corporate income tax return information (name, address, EIN, Tape                     Annual
                                          net income or loss, assets, and gross receipts)
                                          Employment tax returns records (EIN, total compensation paid, Tape                    Weekly
                                          taxable period, number of employees, total taxable wages
                                          paid, and tip income)
                                          Statistics of income corporate sample (credits, balance sheet, Tape                   Annual
                                          and income statement)
                                          W-2s and W-3s (wage data submitted by employers)               Electronic,            Upon request
                                                                                                         paper copy
                                          Unearned income from various Form 1099s                        Tape                   Monthly
                                          Wages, self-employment earnings, and retirement income         Tape,                  Annual,
                                                                                                         electronic             monthly
                                          SSN, filing and marital status, taxpayer name, address,        Tape,                  Upon request
                                          employee EINs                                                  electronic
                                          Legend
                                          EIN Employee identification number
                                          Form 1099s Interest, dividend, and miscellaneous income statements
                                          Form 5498 Individual Retirement Arrangement Information
                                          K-1s Beneficiary’s, partnership’s, and shareholder’s share of income, deductions, credits, etc.
                                          SSN Social Security number
                                          W-2s and W-3s Wage and tax statements
                                          Source: IRS Office of Safeguards.


                                          We asked the agencies we surveyed to indicate how they received taxpayer
                                          information from IRS during 1997 or 1998 and how often they received that
                                          information. Tables 2 and 3 show the survey results.




                                          Page 7                                     GAO-GGD-99-164 Safeguarding Taxpayer Information
                                         B-282749




Table 2: Formats in Which Agencies
Received Taxpayer Information From                                                                              Agencies
                                                                                                                                     b
IRS in 1997 or 1998                      Format                                                           Federal    State and local
                                         Paper copy                                                           56%                44%
                                         Electronic databases                                                 50                 15
                                         Tape extracts                                                        44                 88
                                         Othera                                                               28                 18
                                         Note: Percentages may add to more than 100 percent because agencies can receive the information
                                         in different formats for different purposes.
                                         a
                                         Some agencies indicated that they received the information on a diskette or via direct-connect.
                                         b
                                          The percentages shown reflect the raw percentages obtained in the sample. The population
                                         percentages associated with the 95-percent confidence interval are: paper (30%-59%), database
                                         (6%-28%), tape extracts (75%-96%), other (8%-32%).
                                         Source: GAO analysis of responses from agencies surveyed.


Table 3: Frequencies With Which
Agencies Received Taxpayer                                                                                      Agencies
                                                                                                                                     b
Information From IRS in 1997 or 1998     Frequency                                                        Federal    State and local
                                         Yearly                                                               34%                18%
                                         Quarterly                                                            19                 15
                                         Monthly                                                              19                 53
                                         Weekly                                                               47                 18
                                         Othera                                                               47                 29
                                         Note: Percentages may add to more than 100 percent because agencies can receive the information
                                         at different intervals for different purposes.
                                         a
                                         Some agencies indicated that they received the information upon request or on an as-needed basis.
                                         b
                                         The percentages shown reflect the raw percentages obtained in the sample. The population
                                         percentages associated with the 95-percent confidence interval are: yearly (8%-32%), quarterly (6%-
                                         28%), monthly (39%-67%), weekly (8%-32%), other (17%-44%).
                                         Source: GAO analysis of responses from agencies surveyed.


                                         Appendixes III and IV further describe the types of taxpayer information
                                         received by federal and state and local agencies, respectively; the format in
                                         which the information was received; and the frequency with which it was
                                         received, categorized by purposes for which the information might be
                                         used.

                                         In addition to the taxpayer information received from IRS, many agencies
                                         use other sources of information to fulfill their missions. We asked the
                                         agencies to indicate, in lieu of taxpayer information, what other sources of
                                         data are available that would allow them to accomplish their missions. As
                                         shown in table 4, the responses from the federal, state, and local agencies
                                         we surveyed generally fell into one of following categories:

                                       • There was no other source of data available to them.
                                       • They used other sources, but these other sources were less reliable than
                                         tax information.


                                         Page 8                                    GAO-GGD-99-164 Safeguarding Taxpayer Information
                                      B-282749




                                    • They used other sources, but these other sources were more costly to use
                                      than tax information.
                                    • They used other sources in conjunction with the tax information.
                                    • They did not respond to this question.

Table 4: Other Sources of Data
Agencies Used in Lieu of Taxpayer                                                                                  Agencies
                                                                                                                                       a
Information                           Other sources                                                          Federal   State and local
                                      No other sources available                                                 47%               71%
                                      Other sources less reliable                                                28                 3
                                      Other sources more costly                                                  16                 0
                                      Used other sources as well as tax data                                     34                44
                                      Did not respond                                                            19                 3
                                      Note: Percentages may add to more than 100 because more than one response was possible for an
                                      agency due to multiple responses from different components within an agency.
                                      a
                                       The percentages shown reflect the raw percentages obtained in the sample. The population
                                      percentages associated with the 95-percent confidence interval are: no other sources available (56%-
                                      83%), other sources less reliable (0%-14%), other sources more costly (0%-9%), and used other
                                      sources as well as tax data (30%-59%).
                                      Source: GAO analysis of responses from agencies surveyed.


                                      Under various IRC section 6103 subsections, agencies may receive
How Is the Taxpayer                   taxpayer information for one of several reasons, such as to administer
Information Being                     state tax programs, assist in the enforcement of child support programs, or
Used?                                 verify eligibility and benefits for various welfare and public assistance
                                                                                        6
                                      programs (e.g., food stamps or public housing). Agencies may also receive
                                      taxpayer data for use during a criminal investigation, to apprise
                                      appropriate officials of criminal activities or emergency circumstances, or
                                      to assist in locating fugitives from justice.

                                      One of the most common reasons why agencies said they received
                                      taxpayer information was their participation in the tax refund offset
                                      program. Pursuant to the IRC, agencies submitted qualifying debts, such
                                      as student loans or child support payments, for collection by offsetting the
                                      debt against the taxpayer’s refund. Seventy-five percent of the federal
                                      agencies and 15 percent of the state and local agencies in our sample
                                      indicated that they received taxpayer information for this purpose.

                                      Effective January 1, 1999, tax refund offset procedures for collecting
                                      qualifying debts were modified. The Department of the Treasury’s
                                      Financial Management Service was given the responsibility for the Federal
                                      Refund Offset Program, which was merged into the centralized
                                      administrative offset program known as the Treasury Offset Program. This

                                      6
                                          See appendix II for a description of the various IRC 6103 subsections.




                                      Page 9                                        GAO-GGD-99-164 Safeguarding Taxpayer Information
    B-282749




    program commingles tax refund information with other federal financial
    information (e.g., benefit payments, pensions). If a match is found when an
    individual has an outstanding debt and is receiving federal money in any
    form (e.g., tax refund, pension, or vendor payments), the individual is
    notified that his federal money can be withheld to pay off the debt. The
    source or sources of any money withheld is not revealed to the agencies,
    but simply the fact that an offset has been made. This information, then, is
    no longer identifiable as tax refund information; thus, it is no longer
                                       7
    considered taxpayer information.

    Because of this change to the offset program, several agencies we
    surveyed indicated that they no longer needed taxpayer information.
    Thirty-four percent of the federal and 3 percent of the state and local
    agencies in our sample indicated that they are participating in the Treasury
    Offset Program and that they will no longer need to receive taxpayer
    information from IRS.

    We asked the agencies we surveyed to indicate how they use taxpayer
    information. We grouped their responses into the following categories:

•   administering debt collection or offset program;
•   administering tax laws;
•   determining eligibility for welfare and public assistance programs;
•   enforcing child support programs;
•   conducting criminal investigations; and
•   other purposes, such as statistical and economic research, auditing
    government programs, or storage of tax returns.

    Table 5 shows how the agencies we surveyed responded to our query
    about how they used the taxpayer information they received in 1997 or
    1998. (App. V provides a listing of possible uses of taxpayer information
    received from IRS.)




    7
     To the extent that agencies collect past-due child support payments from tax refund offsets under the
    Treasury Offset Program, such agencies continue to receive specified taxpayer information as
    authorized by IRC section 6103 (l)(10).




    Page 10                                    GAO-GGD-99-164 Safeguarding Taxpayer Information
                                            B-282749




Table 5: How Taxpayer Information Was
Used by Federal, State, and Local                                                                                     Agencies
                                                                                                                                          a
Agencies in 1997 or 1998                    Category                                                             Federal  State and local
                                            Debt collection/offset program                                           75%              15%
                                            Administering tax laws                                                     0              41
                                            Determining eligibility for welfare/public
                                            assistance programs                                                        16                32
                                            Enforcement of child support programs                                       6                29
                                            During criminal investigations                                             28                 3
                                            Other purposes                                                             28                 0
                                            Note: Percentages may add to more than 100 percent because agencies can use taxpayer
                                            information for multiple purposes.
                                            a
                                             The percentages shown reflect the raw percentages obtained in the sample. The population
                                            percentages associated with the 95-percent confidence interval are: Treasury offsets (6%-28%),
                                            administration of tax laws (28%-56%), welfare/public assistance programs (20%-47%), child support
                                            enforcement (17%-44%), investigations (0%-14%), and other (0%-9%).
                                            Source: GAO analysis of responses from agencies surveyed.


                                            Before receiving taxpayer information from IRS, agencies are required to
What Policies and                           provide IRS with a detailed Safeguard Procedures Report (SPR) that
Procedures Are                              describes the procedures established and used by the agency for ensuring
Agencies Required to                        the confidentiality of the information received. The SPR is a record of how
                                            the agency processes the federal taxpayer information and protects it from
Follow to Safeguard                         unauthorized disclosure.
Taxpayer Information?
                                                                                                                                           8
                                            IRS Publication 1075 outlines what must be included in an agency’s SPR.
                                            In addition to requiring that it be submitted on agency letterhead and
                                            signed by the head of the agency or the head’s delegate, an agency’s SPR
                                            must contain information about

                                        •   responsible officer(s),
                                        •   location of the data,
                                        •   flow of the data,
                                        •   system of records,
                                        •   secure storage of the data,
                                        •   access to the data,
                                        •   disposal of the data,
                                        •   computer security, and
                                        •   agency’s disclosure awareness program.

                                            All federal agencies and the state welfare agencies are to submit their
                                            SPRs to IRS’ Office of Safeguards, which is to review the reports for
                                            completeness and acceptance. State taxing agencies and child support

                                            8
                                                See appendix VI for a summary of the requirements included in IRS Publication 1075.




                                            Page 11                                      GAO-GGD-99-164 Safeguarding Taxpayer Information
  B-282749




  enforcement agencies are to submit their SPRs to the IRS District
  Disclosure Office in their respective states. Agencies are expected to
  submit a new SPR every 6 years or whenever significant changes occur to
  their safeguard program.

  IRS has taken steps to withhold taxpayer information from agencies if
  their SPRs did not fulfill the requirements set forth in IRC section 6103.
  Shown below are some recent examples of IRS notifying agencies that they
  would not be able to get taxpayer information because their SPRs were
  incomplete.

• In April 1999, IRS’ Office of Safeguards notified the Arizona Department of
  Economic Security that, since IRS had not received an acceptable SPR, it
  was recommending to IRS’ Office of FedState Relations that federal
  taxpayer information be withheld until the agency complied with the
  safeguarding requirements outlined in IRC section 6103. IRS’ Office of
  Safeguards further advised that it would recommend to the Social Security
  Administration that tax information contained in the Beneficiary Earnings
  Exchange Record should not be forwarded to the department.
• In May 1999, IRS’ Office of Safeguards notified the West Virginia
  Department of Health and Human Resources that additional information
  that IRS had requested in an earlier letter had not been provided and that it
  could not accept the procedures described in the department’s draft SPR
  as adequately protecting federal taxpayer information from unauthorized
  disclosure.
• In June 1999, IRS’ Office of Safeguards notified the Federal Bureau of
  Investigation that IRS was unable to accept the Bureau’s SPR as describing
  adequate safeguard procedures to protect federal taxpayer information
  from unauthorized disclosure.

  Agencies are also required to file a Safeguard Activity Report (SAR)
  annually with IRS to advise it of any minor changes to the procedures or
  safeguards described in their SPR. The SAR is also to advise IRS of future
  actions that would affect the agency’s safeguard procedures—for example,
  new computer equipment, facilities, or systems or the use of contractors,
  as permitted by law, to do programming, processing, or administrative
  services. Moreover, the SAR is to summarize the agency’s current efforts to
  ensure confidentiality and certify that the agency is protecting taxpayer
  information pursuant to IRC section 6103(p)(4) and the agency’s own
  security requirements.

  In addition to the SPRs and annual SARs that are sent to IRS, agencies’
  OIGs may also review agency programs for safeguarding taxpayer



  Page 12                         GAO-GGD-99-164 Safeguarding Taxpayer Information
                        B-282749




                        information. For example, a March 1999 Department of Veterans Affairs
                        (VA) OIG report outlined possible inappropriate requests for and
                        subsequent use of taxpayer information by VA’s Health Eligibility Center
                        because of erroneous information supplied to them by some VA medical
                                   9
                        facilities. The OIG found that a large percentage of sampled cases did not
                        have certain required documentation on file and, consequently, should not
                        have been referred for income matching and verification.

                        Before we notified IRS about the VA OIG report, neither Treasury nor IRS
                        was aware of the report or its findings. After meeting with IRS to discuss
                        the OIG findings, VA agreed to work with IRS on corrective actions.
                        According to IRS, federal agency OIGs are not required to notify IRS of
                        their findings involving tax returns and return information. In July 1999,
                        IRS issued a memorandum to federal agency OIGs asking for their
                        assistance in working with IRS in this area.

                        IRS is supposed to conduct on-site reviews every 3 years to ensure that
How Frequently Is IRS   agencies’ safeguard procedures fulfill IRS requirements for protecting
to Monitor Agencies’    taxpayer information. IRS’ National Office of Governmental Liaison and
Adherence to the        Disclosure, Office of Safeguards, has overall responsibility for safeguard
                        reviews to assess whether taxpayer information is properly protected from
Safeguarding            unauthorized inspection, disclosure, or use as required by the IRC and to
Requirements?           assist in reporting to Congress. The Office of Safeguards conducts the on-
                        site reviews for all the federal agencies and state welfare agencies that
                        receive taxpayer information. IRS’ District Offices of Disclosure and
                        FedState Relations are responsible for conducting the on-site safeguard
                        reviews at all other state and local agencies that receive taxpayer
                        information. There are 33 district offices, 29 of which have responsibilities
                        for overseeing the safeguard reviews at state and local agencies. As of June
                        1999, there were 230 professional and 24 support staff assigned to the
                        national and district disclosure offices. (App. VIII shows the staffing levels
                        of these offices.) In addition to overseeing the safeguarding program, the
                        district offices have responsibility for a variety of other disclosure
                        activities, such as responding to requests under the Freedom of
                        Information Act or Privacy Act.

                        According to IRS, staff from the responsible IRS office visit the agency to
                        review the procedures established and used by the agency to protect
                        taxpayer information from unauthorized disclosure. In addition, they
                        assess the agency’s need for, and use of, this information. IRS staff are to
                        meet with agency personnel, review agency records, and visit agency
                        9
                            Report No. 9R1-G01-054, Mar. 15, 1999.




                        Page 13                                      GAO-GGD-99-164 Safeguarding Taxpayer Information
                       B-282749




                       facilities where taxpayer information is kept. They then prepare a report
                       detailing their assessment of the agency’s processes and ability to fulfill
                       the requirements of IRC section 6103(p)(4).

                       In addition to conducting the triennial safeguard reviews, IRS District
                       Disclosure Office staff are to conduct annual “need and use” reviews at all
                       state and local agencies involved in tax administration. These reviews are
                       done to validate the agencies’ continued need for and use of the tax
                       information they receive from IRS.

                       IRS’ safeguard reviews over the last 5 years have identified discrepancies
What Are the Results   in agency safeguard procedures and made recommendations for
of IRS’ Monitoring     corrections. The reviews have uncovered deficiencies with agency
Efforts?               safeguarding procedures, ranging from inappropriate access of taxpayer
                       information by contractor staff to administrative matters, such as the
                       failure to properly document the disposal of information. Discrepancies
                       found by IRS during the safeguard reviews generally were procedural
                       deficiencies and did not result in known unauthorized disclosures of
                       taxpayer information. In their responses to the discrepancies found and
                       recommendations made by IRS, agencies indicated that they would
                       institute corrective actions. (App. VII provides examples of the
                       discrepancies found by IRS during its safeguard reviews.)

                       As noted above, one of the discrepancies that IRS found during safeguard
                       reviews was that some agencies that received taxpayer information were
                       using contractor personnel in a manner that might allow them access to
                       taxpayer information. In its Report on Procedures and Safeguards
                       Established and Utilized by Agencies for the Period January 1 through
                       December 31, 1998, IRS highlighted this problem to Congress. IRS found
                       agencies using contractor personnel in setting up agency computer
                       systems in a manner that permitted the contractors to see taxpayer
                       information. IRS also found agencies using contractor personnel in the
                       disposal of taxpayer information, without having agency personnel
                       observe the process to ensure that contractor personnel did not “access”
                       the information. One of the major changes to IRS Publication 1075 in
                       March 1999 was the inclusion of a section devoted to the appropriateness
                       of, and precautions with, using contractor personnel to assist an agency in
                       fulfilling the part of its mission that requires the use of taxpayer
                       information.

                       Some types of administrative discrepancies found by IRS staff during
                       safeguard reviews included, among other things, that




                       Page 14                         GAO-GGD-99-164 Safeguarding Taxpayer Information
                        B-282749




                      • agencies were not properly documenting what information had been
                        destroyed;
                      • agency recordkeeping systems at field offices did not always meet the
                        statutory requirements for accountability;
                      • agencies were not properly tracking the shipment of paper documents
                        containing federal taxpayer information; and
                      • employees were not always aware of the criminal and civil penalties that
                        can be imposed for unauthorized inspection or disclosure.

                        We requested comments on a draft of this report from the Commissioner
Agency Comments and     of Internal Revenue. Officials representing the Assistant Commissioner for
Our Evaluation          Examination and the Commissioner’s Office of Legislative Affairs provided
                        IRS’ comments at an August 12, 1999, meeting. IRS also provided written
                        comments in an August 16, 1999, letter, which is reprinted in appendix X.

                        IRS was in overall agreement with the draft report and said it fairly
                        represented the scope and use of IRC section 6103 provisions regarding
                        safeguarding taxpayer information. IRS also provided some additional
                        information and technical comments. Where appropriate, we made
                        changes to this report on the basis of these comments.

                        We are sending copies of this report to Senator Fred Thompson, Chairman,
                        and Senator Joseph I. Lieberman, Ranking Minority Member, Senate
                        Committee on Governmental Affairs, and Representative Charles B.
                        Rangel, Ranking Minority Member, House Committee on Ways and Means.
                        We are also sending copies to the Honorable Lawrence H. Summers,
                        Secretary of the Treasury; the Honorable Charles O. Rossotti,
                        Commissioner of Internal Revenue; the Honorable Jacob Lew, Director,
                        Office of Management and Budget; and other interested parties. We will
                        also send copies to those who request them.

                        If you or your staff have any questions concerning this report, please
                        contact me or Joseph Jozefczyk at (202) 512-9110. Other major
                        contributors to this report are acknowledged in appendix XI.




                        Cornelia M. Ashby
                        Associate Director, Tax Policy and
                         Administration Issues



                        Page 15                         GAO-GGD-99-164 Safeguarding Taxpayer Information
Contents



Letter                                                                                   1


Appendixes   Appendix I: Lists of Federal, State, and Local Agencies                    20
               Receiving Taxpayer Information
             Appendix II: IRC Section 6103 Subsections That                             24
               Authorize IRS to Disclose Taxpayer Information
               Subject to Safeguarding Requirements
             Appendix III: Overview of Information Provided to                          32
               Federal Agencies Under the Provisions of IRC Section
               6103
             Appendix IV: Overview of Information Provided to State                     36
               and Local Agencies Under the Provisions of IRC
               Section 6103
             Appendix V: Possible Uses for Federal Taxpayer Data                        39
               Provided to Federal, State, and Local Agencies
             Appendix VI: Summary of Tax Information Security                           41
               Guidelines for Federal, State, and Local Agencies
             Appendix VII: Examples of Deficiencies Found During                        47
               IRS’ Reviews of Agencies’ Safeguarding Procedures
             Appendix VIII: Staffing Levels for IRS’ Office of                          54
               Safeguards
             Appendix IX: Questionnaires Used to Survey Federal,                        56
               State, and Local Agencies Receiving Taxpayer
               Information
             Appendix X: Comments From the Internal Revenue                             60
               Service
             Appendix XI: GAO Contacts and Staff Acknowledgments                        61


Tables       Table 1: Examples of Types of Taxpayer Information                          6
               Received by Federal, State, and Local Agencies
             Table 2: Formats in Which Agencies Received Taxpayer                        7
               Information From IRS in 1997 or 1998
             Table 3: Frequencies With Which Agencies Received                           8
               Taxpayer Information From IRS in 1997 or 1998
             Table 4: Other Sources of Data Agencies Used in Lieu of                     9
               Taxpayer Information
             Table 5: How Taxpayer Information Was Used by                              11
               Federal, State, and Local Agencies in 1997 or 1998
             Table I.1: List of Federal Agencies Receiving Taxpayer                     20
               Information
             Table I.2: List of State and Local Agencies Receiving                      21
               Taxpayer Information



             Page 16                       GAO-GGD-99-164 Safeguarding Taxpayer Information
          Contents




          Table II.1: IRC Authorization for Federal Agencies to                       30
            Receive Taxpayer Information
          Table II.2: IRC Authorization for State and Local Agencies                  31
            to Receive Taxpayer Information
          Table III.1: Disclosure to Federal Agencies for Tax                         32
            Administration and the Administration of Federal Laws
            Not Related to Tax Administration
          Table III.2: Disclosure to Federal Agencies for Statistical                 33
            Purposes
          Table III.3: Disclosure to Federal Agencies for Purposes                    34
            Other Than Tax Administration
          Table III.4: Disclosure to Federal Agencies for Collecting                  35
            Certain Federal Claims and Taxes and for Locating
            Donors
          Table IV.1: Disclosure to State Tax Officials and State and                 36
            Local Law Enforcement Agencies
          Table IV.2: Disclosure to State and Local Child Support                     38
            Enforcement Agencies
          Table IV.3: Disclosure to State and Local Welfare                           38
            Agencies
          Table V.1: Possible Uses of Taxpayer Information by                         39
            Federal, State, and Local Agencies
          Table VII.1: Examples of Agency Deficiencies Found                          53
            During IRS’ Safeguard Reviews


Figures   Figure IX.1: Survey of Federal Agencies Receiving                           56
            Taxpayer Data
          Figure IX.2: Survey of State and Local Agencies Receiving                   58
            Taxpayer Data




          Page 17                        GAO-GGD-99-164 Safeguarding Taxpayer Information
Contents




Abbreviations

ATF         Bureau of Alcohol, Tobacco, and Firearms
FMS         Financial Management Services
HCFA        Health Care Financing Administration
IRC         Internal Revenue Code
IRS         Internal Revenue Service
OCSE        Office of Child Support Enforcement
OIG         Office of the Inspector General
OPM         Office of Personnel Management
RRB         Railroad Retirement Board
SSA         Social Security Administration
VA          Department of Veterans Affairs
SAR         Safeguards Activity Report
SPR         Safeguards Procedures Report


Page 18                       GAO-GGD-99-164 Safeguarding Taxpayer Information
Page 19   GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix I

Lists of Federal, State, and Local Agencies
Receiving Taxpayer Information

                                             The Internal Revenue Service (IRS) provided us with the following list of
                                             federal agencies in the Washington, D.C., metropolitan area that received,
                                             or maintained records containing, taxpayer data under the authority of
                                             Internal Revenue Code (IRC) section 6103.


Table I.1: List of Federal Agencies Receiving Taxpayer Information
                                          a
1 Agency for International Development                       14 Department of Transportation
2 Central Intelligence Agency                                      Federal Aviation Administration
3 Defense Finance and Accounting Service                           Office of the Secretary of Transportation, TASC
4 Department of Agriculture                                        Research and Special Programs
    Farm Service Agency                                            U.S. Coast Guard
    Food and Nutrition Service                               15 Department of the Treasury
    National Finance Center                                        Financial Management Service
    Office of the Inspector General                                Office of the Inspector General
    Risk Management Agency                                         U.S. Customs Service
    Rural Development                                              U.S. Secret Service, Financial Management Division
5 Department of Commerce                                           U.S. Secret Service, Investigative Support Division
    Bureau of Economic Analysis                              16 Department of Veterans Affairs
    Economic Planning and Coordination Division                    Debt Management Center
    Planning Research and Evaluation Division                      Veterans Benefits Administration
                                                                                                     a
    Office of Financial Management                           17 Environmental Protection Agency
6 Department of Education                                    18 Equal Employment Opportunity Commission
                           a
7 Department of Energy                                       19 Federal Emergency Management Agency
8 Department of Health and Human Services                    20 General Accounting Office
    Office of Child Support Enforcement                      21 General Services Administration
    Program Support Center                                   22 National Archives and Records Administration
9 Department of Housing and Urban Development                      Office of the General Counsel
    Albany Financial Operations Center                             Records Center Facilities
    Real Estate Assessment Center                            23 National Labor Relations Board
10 Department of the Interior                                24 National Science Foundation
11 Department of Justice                                     25 Office of Independent Counsel
    Antitrust Division                                       26 Office of Personnel Management
    Civil Division                                           27 Pension Benefit Guaranty Corporation
    Debt Collection Management                               28 Securities and Exchange Commission
    Federal Bureau of Investigation                          29 Small Business Administration
    Office of Professional Responsibility                    30 Social Security Administration
    Tax Division                                                   Office of the Inspector General
    U.S. Attorneys Offices                                         Office of Policy, Office of Research, Evaluation, and Statistic
12 Department of Labor                                             Office of Program Benefits
    Office of the Chief Financial Officer                          Office of Systems Requirements
    Office of the Inspector General                          31 United States Marine Corps
    Pension and Welfare Benefits Administration              32 U.S. Information Agency
    Plans Benefits Security Division                         33 U.S. Peace Corps
13 Department of State                                       34 U.S. Postal Service
                                                                   General Accounting Section
                                                                   Postal Inspection Service
                                             a
                                              In responding to our questionnaire, these agencies indicated that they had not received any taxpayer
                                             information in 1997 or 1998.




                                             Page 20                                   GAO-GGD-99-164 Safeguarding Taxpayer Information
                                            Appendix I
                                            Lists of Federal, State, and Local Agencies Receiving Taxpayer Information




                                            In addition, IRS identified the following six entities not in the Washington,
                                            D.C., metropolitan area that received taxpayer information. These were:

                                        •   Army and Air Force Exchange, Dallas, TX
                                        •   Department of the Treasury, Bureau of Public Debt, Parkersburg, WV
                                        •   Navy Exchange Service Command, Virginia Beach, VA
                                        •   Department of the Treasury, U.S. Customs, Indianapolis, IN
                                        •   Department of Veteran Affairs, Fort Snelling, MN
                                        •   U.S. Railroad Retirement Board, Chicago, IL

                                            As agreed with your office, we did not include these six in our survey
                                            because they were located outside the Washington, D.C., metropolitan
                                            area.

                                            IRS provided us with the following list of state and local agencies that
                                            received, or maintained records containing, taxpayer data under the
                                            authority of IRC section 6103.


Table I.2: List of State and Local Agencies Receiving Taxpayer Information
1   Alabama Child Support Enforcement Agency                    28 Connecticut Department of Social Services
2   Alabama Department of Human Resources                       29 Delaware Child Support Enforcement Agency
3   Alabama Department of Revenue                               30 Delaware Department of Transportation
4   Alabama Medicaid Agency                                     31 Delaware Division of Revenue
5   Alaska Child Support Enforcement Agency                     32 Delaware Health & Social Services
6   Alaska Department of Health & Social Services               33 District of Columbia Office of Corporation Counsel
7   Alaska Department of Revenue                                34 District of Columbia Department of Human Services
8   American Samoa Department of Treasury                       35 District of Columbia Office of Tax & Revenue
9   Arizona Department of Economic Security                     36 Florida Department of Children & Family Services
10 Arizona Department of Revenue                                37 Florida Department of Revenue
11 Arizona Department of Transportation                         38 Georgia Child Support Enforcement Agency
12 Arizona Health Care Cost Containment System                  39 Georgia Department of Human Resources
13 Arkansas Department of Finance & Administration Revenue      40 Georgia Department of Labor
14 Arkansas Department of Human Services                        41 Georgia Department of Revenue
15 Arkansas Department of Labor                                 42 Guam Child Support Enforcement Agency
16 Arkansas Office of Child Support Enforcement                 43 Guam Department of Revenue & Taxation
17 California State Controller’s Office                         44 Hawaii Child Support Enforcement Agency
18 California Department of Social Services                     45 Hawaii Department of Human Services
19 California Employment Development Department                 46 Hawaii Department of Labor & Industrial Relations
20 California Franchise Tax Board                               47 Hawaii Department of Taxation
21 California State Board of Equalization                       48 Idaho Department of Health & Welfare
22 Colorado Department of Human Services                        49 Idaho Department of Labor
23 Colorado Department of Labor & Employment                    50 Idaho Department of Revenue
24 Colorado Department of Revenue                               51 Idaho State Tax Commission
25 Colorado Department of Social Services                       52 Illinois Attorney General’s Office
26 Connecticut Bureau of Child Support                          53 Illinois Department of Human Services
27 Connecticut Department of Revenue Services                   54 Illinois Department of Public Aid




                                            Page 21                               GAO-GGD-99-164 Safeguarding Taxpayer Information
                                            Appendix I
                                            Lists of Federal, State, and Local Agencies Receiving Taxpayer Information




55    Illinois Department of Revenue                              105   Missouri–Kansas City Revenue Division
56    Illinois Office of Child Support Enforcement                106   Missouri–City of St. Louis Revenue Department
57    Indiana Family & Social Services Administration             107   Montana Department of Justice
58    Indiana Department of Revenue                               108   Montana Department of Public Health & Human Services
59    Indiana Department of Workforce Development                 109   Montana Department of Revenue
60    Indiana Office of Child Support Enforcement                 110   Montana Department of Social & Rehabilitation Services
61    Iowa Child Support Enforcement Agency                       111   Montana Department of Transportation
62    Iowa Department of Human Services                           112   Nebraska Child Support Enforcement Agency
63    Iowa Department of Finance & Revenue                        113   Nebraska Department of Health & Human Services
64    Iowa Workforce Development                                  114   Nebraska Department of Labor
65    Kansas Department of Revenue                                115   Nebraska Department of Revenue
66    Kansas Department of Social & Rehabilitative Services       116   Nebraska Department of Social Services
67    Kentucky Cabinet for Families & Children                    117   Nevada Department of Human Resources
68    Kentucky Revenue Cabinet                                    118   Nevada Department of Motor Vehicles
69    Kentucky Workforce Development                              119   Nevada Department of Taxation
70    Kentucky–Louisville/Jefferson County Revenue Commission     120   Nevada Department of Human Resources
71    Louisiana Child Support Enforcement Agency                  121   New Hampshire Child Support Enforcement Agency
72    Louisiana Department of Health & Hospitals                  122   New Hampshire Department of Employment
73    Louisiana Department of Revenue                             123   New Hampshire Department of Health & Human Services
74    Louisiana Department of Social Services                     124   New Hampshire Department of Revenue
75    Louisiana State Police                                      125   New Hampshire Department of Safety
76    Maine Bureau of Employment                                  126   New Jersey Department of Human Services
77    Maine Child Support Enforcement Agency                      127   New Jersey Department of Labor
78    Maine Department of Human Services                          128   New Jersey Division of Taxation
79    Maine Revenue Services                                      129   New Mexico Human Services Department
80    Maryland Child Support Enforcement Agency                   130   New Mexico Department of Labor
81    Maryland Controller of the Treasury                         131   New Mexico Taxation & Revenue Department
82    Maryland Department of Human Resources                      132   New York Department of Labor
83    Maryland Department of Labor                                133   New York Department of Social Services
84    Massachusetts Child Support Enforcement Agency              134   New York Department of Taxation & Finance
85    Massachusetts Department of Employment Services             135   New York City Department of Finance
86    Massachusetts Department of Revenue                         136   North Carolina Department of Health & Human Services
87    Massachusetts Department of Transitional Assistance         137   North Carolina Department of Human Resources
88    Massachusetts Division of Medical Assistance                138   North Carolina Department of Revenue
89    Michigan Family Independence Agency                         139   North Dakota Department of Human Services
90    Michigan Department of Treasury                             140   North Dakota Office of State Tax Commissioner
91    Michigan Office of Child Support Enforcement                141   Ohio Bureau of Employment Services
92    Michigan–City of Detroit Income Tax Bureau                  142   Ohio Department of Human Services
93    Minnesota Department of Economic Security                   143   Ohio Department of Taxation
94    Minnesota Department of Human Services                      144   Ohio–City of Cincinnati Income Tax Bureau
95    Minnesota Department of Revenue                             145   Ohio–City of Cleveland Division of Taxation
96    Minnesota Department of Social Services                     146   Ohio–City of Columbus Income Tax Division
97    Mississippi Child Support Enforcement Agency                147   Ohio–City of Toledo Division of Taxation
98    Mississippi Department of Human Services                    148   Oklahoma Department of Human Services
99    Mississippi Department of Public Safety                     149   Oklahoma Tax Commission
100   Mississippi Division of Medicaid                            150   Oregon Child Support Enforcement Agency
101   Mississippi State Tax Commission                            151   Oregon Department of Human Resources
102   Missouri Department of Revenue                              152   Oregon Department of Revenue
103   Missouri Department of Social Services                      153   Pennsylvania Department of Public Welfare
104   Missouri Division of Employment Security                    154   Pennsylvania Department of Revenue




                                            Page 22                               GAO-GGD-99-164 Safeguarding Taxpayer Information
                                             Appendix I
                                             Lists of Federal, State, and Local Agencies Receiving Taxpayer Information




155   Pennsylvania–City of Philadelphia Department of Revenue      186   Vermont Division of Motor Vehicles
156   Pennsylvania–City of Pittsburgh Department of Finance        187   Virginia Child Support Enforcement Agency
157   Puerto Rico Department of Social Services                    188   Virginia Department of Motor Vehicles
158   Puerto Rico Department of the Family                         189   Virginia Department of Social Services
159   Puerto Rico Department of the Treasury                       190   Virginia Department of Taxation
160   Puerto Rico Department of Welfare                            191   Virgin Islands Bureau of Health Insurance & Medical
                                                                         Assistance
161   Puerto Rico Division of Medicaid                             192   Virgin Islands Bureau of Internal Revenue
162   Rhode Island Child Support Enforcement Agency                193   Virgin Islands Department of Finance
163   Rhode Island Department of Human Services                    194   Virgin Islands Department of Human Services
164   Rhode Island Department of Administration                    195   Virgin Islands Department of Justice, Child Support
                                                                         Enforcement
165   South Carolina Department of Revenue                         196   Washington Child Support Enforcement Agency
166   South Carolina Department of Social Services                 197   Washington Department of Social & Health Services
167   South Carolina Employment Services                           198   Washington State Department of Revenue
168   South Dakota Department of Labor                             199   Washington Department of Licensing
169   South Dakota Department of Revenue                           200   Washington Department of Labor & Industry
170   South Dakota Department of Social Services                   201   Washington State Employment Security
171   Tennessee Department of Employment Security                  202   West Virginia Child Support Enforcement Agency
172   Tennessee Department of Human Services                       203   West Virginia Department of Employment
173   Tennessee Department of Revenue                              204   West Virginia Department of Health & Human Services
174   Tennessee–Nashville Metropolitan Police Department           205   West Virginia Department of Tax & Revenue
175   Texas Department of Human Services                           206   Wisconsin Child Support Enforcement Agency
176   Texas Disposal Systems                                       207   Wisconsin Department of Industry & Labor
177   Texas Office of the Attorney General, Child Support          208   Wisconsin Department of Revenue
      Enforcement
178   Texas Comptroller of Public Accounts                         209   Wisconsin Department of Workforce Development
179   Texas Workforce/Employment Commission                        210   Wyoming Department of Employment
180   Utah Department of Workforce Services                        211   Wyoming Department of Family Services
181   Utah State Tax Commission                                    212   Wyoming Department of Revenue
182   Vermont Child Support Enforcement Agency                     213   Wyoming Department of Social Service
183   Vermont Department of Employment Services                    214   Wyoming Department of Transportation
184   Vermont Department of Social Welfare                         215   Wyoming State Auditor’s Office
185   Vermont Department of Taxes




                                             Page 23                               GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix II

IRC Section 6103 Subsections That Authorize
IRS to Disclose Taxpayer Information Subject
to Safeguarding Requirements
                           Certain federal, state, and local agencies, and others are authorized under
IRC Section 6103           Internal Revenue Code (IRC) section 6103 to receive taxpayer information
                           from the Internal Revenue Service (IRS). The following describes the
                           agencies, bodies, commissions, and other agents authorized by IRC section
                           6103 subsections to obtain taxpayer information, subject to safeguarding
                           requirements prescribed in IRC section 6103(p)(4).

IRC Section 6103(d)–       Disclosures of taxpayer information can be made to state taxing agencies
                           and state and local law enforcement agencies that assist in the
Disclosures to State Tax   administration of state tax laws. Disclosures under this section are to be
Agencies and State and     used only for tax administration purposes, and states must justify the need
Local Law Enforcement      for this information and must use the data provided.
Agencies (Officers and
IRC Section 6103(f)–       Certain disclosures of taxpayer information can be made to Committees of
Employees)  for Tax        Congress and their agents upon written request from the Chairman of the
Disclosures
AdministrationCommittees
            to  Purposes   House Committee on Ways and Means, the Senate Committee on Finance,
of Congress                or the Joint Committee on Taxation. Taxpayer information that can be
                           associated with, or otherwise identify (directly or indirectly), a particular
                           taxpayer can only be furnished to the Committee when in closed executive
                           session, unless a taxpayer otherwise consents in writing to the disclosure.
                           Agents, such as the General Accounting Office, and certain other
                           Committees may also receive taxpayer information under subsections
                           (f)(3) and (4).

IRC Section 6103(h)–       6103(h)(2)–Disclosures of taxpayer information can be made to the
                           Department of Justice for proceedings involving tax administration before
Disclosures to Federal     a federal grand jury or any proceedings or investigation that may result in a
Agencies (Officers and     proceeding before a federal grand jury or federal or state court.
Employees) for Tax
Administration Purposes    6103(h)(5)–Disclosures of the address and status of a nonresident alien,
                           citizen, or resident of the United States to the Social Security
                           Administration (SSA) and Railroad Retirement Board can be made for
                           purposes of carrying out responsibilities for withholding tax under section
                           1441 of the Social Security Act for Social Security benefits.




                           Page 24                         GAO-GGD-99-164 Safeguarding Taxpayer Information
                               Appendix II
                               IRC Section 6103 Subsections That Authorize IRS to Disclose Taxpayer Information Subject
                               to Safeguarding Requirements




IRC Section 6103(i)-           6103(i)(l) and (2)–Disclosures of taxpayer and other information can be
                               made for use in certain criminal investigations.
Disclosures to Federal
Agencies (Officers and         6103(i)(3)–Disclosures of taxpayer information can be used to apprise
Employees) for                 appropriate officials of criminal activities or emergency circumstances.
Administration of Federal
                               6103(i)(5)–Disclosures of taxpayer information can be made to locate
Laws Not Related to Tax        fugitives from justice upon the grant of an ex parte order by a federal
Administration                 district court judge or magistrate.

                               6103(i)(7)–Disclosures of taxpayer information can be made to officers
                               and employees of the General Accounting Office in conducting audits of
                               IRS; Bureau of Alcohol, Tobacco and Firearms (ATF); and any agency
                               authorized by 6103(p)(6).

IRC Section 6103(j)–           6103(j)(1)–Disclosures of taxpayer information can be made to the
                               Department of Commerce (Census and Bureau of Economic Analysis).
Disclosures for Statistical
Use                            6103(j)(2)–Disclosures of taxpayer information can be made to the Federal
                               Trade Commission for statistical purposes. Only corporate returns can be
                               disclosed for legally authorized economic surveys of corporations.
                               (According to IRS, this section is obsolete because the Federal Trade
                               Commission no longer performs these economic surveys.)

                               6103(j)(5)–Disclosures of taxpayer information can be made to the
                               Department of Agriculture for the purpose of structuring, preparing, and
                               conducting the census of agriculture pursuant to the Census of Agriculture
                               Act of 1997.

IRC Section 6103(k)(8)–        Disclosures of taxpayer information can be made to the Department of the
                               Treasury’s Financial Management Service (FMS) for levies related to any
Disclosure for Certain Other   federal debt.
Tax Administration
Purposes

IRC Section 6103(l)–           IRC section 6103(l)(1) and (l)(5) allow a specific type of disclosure
                               between IRS and SSA commonly known as the Continuous Work History
Disclosures for Purposes       Sample Program. Under this disclosure, a small sample (approximately 1%)
Other Than Tax                 of the U.S. population’s Social Security-related data, wage information, and
Administration                 self-employment data is collected and used (1) for various studies to
                               monitor trends that may affect Social Security programs; (2) as a model to
                               assist in determining the effects of proposed program changes, including




                               Page 25                              GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix II
IRC Section 6103 Subsections That Authorize IRS to Disclose Taxpayer Information Subject
to Safeguarding Requirements




proposed legislative or administrative changes; and (3) to assess funding
requirements related to trust funds and the budget.

6103(l)(1)–Disclosures of taxpayer information can be made to the Social
Security Administration and Railroad Retirement Board for the
administration of the Social Security Act and the Railroad Retirement Act.
The common name for this disclosure is the Administration of the Social
Security Act Program. Section 6103(l)(1) is very specific as to what
information may be disclosed to SSA, and part of this information may be
used by SSA only for purposes of carrying out its responsibility under
section 1131 of the Social Security Act.

6103(l)(2)–Disclosures of taxpayer information can be made to the
Department of Labor and the Pension Benefit Guaranty Corporation for
administration of titles I and IV of the Employee Retirement Income
Security Act of 1974.

6103(l)(3)–Disclosures of taxpayer information can be made to any federal
agency administering a federal loan program.

6103(l)(5)–Disclosures of taxpayer information can be made to the Social
Security Administration for the purposes of (1) carrying out an effective
return processing program pursuant to section 232 of the Social Security
Act and (2) providing information regarding the mortality status of
individuals for epidemiological and similar research in accordance with
section 1106(d) of the Social Security Act. The common name for this
disclosure is the Annual Wage Reporting Program. Section 6103(l)(5)
permits SSA and IRS to work together to process and share certain
information. SSA and IRS conduct a number of exchanges to identify
whether employee, employer, and wage data are correct and employers
are submitting information as legally required.

6103(l)(6)–Disclosures of taxpayer information can be made to federal,
state, and local child support enforcement agencies for the purposes of
establishing and collecting child support obligations from individuals
owing such obligations, including locating such individuals. Under IRC
section 6103(p)(2), in conjunction with section 6l03(l)(6), IRS has
authorized SSA to make disclosures to the Office of Child Support
Enforcement, a federal agency that oversees child support enforcement at
the federal level and acts as a coordinator for most programs involved with
child support enforcement.




Page 26                              GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix II
IRC Section 6103 Subsections That Authorize IRS to Disclose Taxpayer Information Subject
to Safeguarding Requirements




6103(l)(7)–Disclosures of taxpayer information can be made to federal,
state, and local agencies administering certain benefits programs for the
purposes of determining eligibility for, or correct amount of, benefits
under such programs. Section 6103(l)(7) states that SSA will provide its
return information [obtained under 6103(l)(1) or (5)] to other agencies to
assist them with specific welfare programs. The states (and other
authorized agencies) provide the names and Social Security numbers of
welfare applicants or recipients, and SSA provides the authorized
information, such as wages and self-employment (net earnings) and
retirement income. This disclosure between SSA and the other agencies is
called the Beneficiary and Earnings Data Exchange Program. A similar
program, the 1099 Program, involves the disclosure of unearned income
information between IRS and federal, state, and local agencies
administering these programs.

6103(l)(8)–Disclosures of taxpayer information can be made by SSA to
other state and local child support enforcement agencies for the same
                        1
purposes as 6103(l)(6).

6103(l)(9)–Disclosures of taxpayer information can be made to state
administrators of state alcohol laws for use in the administration of such
laws. The disclosure is limited to information on alcohol fuel producers
only.

6103(l)(10)–Disclosures of specific taxpayer information relating to tax
refund offsets can be made to the agency requesting such offsets in order
to collect specified debts, such as student loans or child support payments.
This disclosure between IRS and other agencies was known as the Tax
Refund Offset Program. This program is currently undergoing a
“transition.” In the past, agencies received pre-offset debtor addresses,
debtor identity information, the filing status (if joint), and any payment
amount to the spouse of a joint return from IRS. Effective January 1, 1999,
Treasury’s Financial Management Service assumed complete responsibility
for the Treasury Offset Program. Except in the case of tax refund offsets to
collect child support debts, agencies are now receiving offset information
under the Treasury Offset Program procedures. Tax refund offset will, in
general, be blended, or amalgamated, with other Treasury “offsets,” such
as salary offsets. FMS is to perform the blending and tax information is not
to be identified beyond FMS, except for agencies involved in collecting
child support debts. When tax refund offset information is blended and

1
 According to IRS data, there are currently no disclosures being made under 6103(8). Section 6103(l)(6)
allows IRS to provide the same information to federal, state, and local agencies.




Page 27                                    GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix II
IRC Section 6103 Subsections That Authorize IRS to Disclose Taxpayer Information Subject
to Safeguarding Requirements




unidentifiable under the Treasury Offset Program procedures, it is no
longer considered return information and section 6103(p)(4) safeguarding
procedures are not required.

6103(l)(11)–Disclosures of taxpayer information can be made by SSA to
the Office of Personnel Management (OPM) for the purpose of
administering the federal employees’ retirement system (chs. 83 and 84 of
title 5, U.S.C.). The common name for this disclosure between SSA and
OPM is the Federal Employees’ Retirement System Program. It involves a
computer match where OPM provides the names and Social Security
numbers of federal employees participating in the federal retirement
system and SSA provides the wages, self-employment earnings, and
retirement income information obtained under IRC sections 6103(l)(1) and
(l)(5).

6103(l)(12)–Taxpayer information can be disclosed by IRS to SSA and by
SSA to the Health Care Financing Administration (HCFA) to administer the
Medicare program. The common name for this type of disclosure is the
Medicare Secondary Payer Project. The purpose of this disclosure is to
identify the employment status of Medicare beneficiaries to determine if
medical care is covered by group health plans. It permits IRS to provide
SSA with identity information, filing and marital status, and spouse’s name
and Social Security number for specific years for any Medicare beneficiary
identified by SSA. It also permits SSA to disclose to HCFA the names and
Social Security numbers of Medicare beneficiaries receiving wages above a
specified amount. Additionally, it permits HCFA to disclose certain return
information to qualified employers and group health plans.

6103(1)(13)–Disclosures of taxpayer information can be made to the
Department of Education to administer the “Direct Student Loans”
         2
program.

6103(l)(14)–Disclosures of taxpayer information can be made to U.S.
Customs to audit evaluations of imports and exports, and to take other
actions to recover any loss of revenue or collection of duties, taxes, and
fees determined to be due and owed as a result of such audits.

6103(1)(16)–Disclosures of taxpayer information can be made by SSA to
officers or employees of the Department of the Treasury, a trustee or any

2
According to IRS, no disclosures have been made under this provision. Instead, the Department of
Education has obtained taxpayer information pursuant to taxpayer consents under section 6103(c).
Such disclosures are not subject to safeguards.




Page 28                                  GAO-GGD-99-164 Safeguarding Taxpayer Information
                             Appendix II
                             IRC Section 6103 Subsections That Authorize IRS to Disclose Taxpayer Information Subject
                             to Safeguarding Requirements




                             designated officer, employee, or actuary of a trustee (as defined in the D.C.
                             Retirement Protection Act), for the purpose of determining an individual’s
                             eligibility for, or the correct amount of, benefits under the District of
                             Columbia Retirement Protection Act of 1997.

                             6103(l)(17)–Disclosures of taxpayer information can be made to the
                             National Archives and Records Administration for the purposes of
                             appraisal of records for destruction or retention.

IRC Section 6103(m)–         Section 6103 (m)(2), (4), (6), and (7) are not subject to 6103(p)(4)
                             safeguarding requirements unless address and entity information is
Disclosures of Taxpayer      redisclosed to an agent. If redisclosed to an agent, both the agency and the
Identity Information         agent must safeguard the information.

                             6103(m)(2)–Disclosures of taxpayer information can be made to federal
                             agencies for collection of federal claims under the Federal Claims
                             Collection Act. Section 6103(m)(2) authorizes IRS to provide the mailing
                             addresses of taxpayers to any federal agency to locate taxpayers in an
                             attempt to collect federal claims. The common names for this type of
                             disclosure is Taxpayer Address Request Program or the Recovery and
                             Collection of Overpayment Process. It involves the federal agency
                             providing IRS with a listing of debtors, identified by Social Security
                             number and name, and IRS then providing the agency with the same
                             information and the latest known address.

                             6103(m)(4)–Disclosures of taxpayer information can be made to the
                             Department of Education for collection of Student Loans.

                             6103(m)(6)–Disclosures of taxpayer information can be made to officers
                             and employees of the Blood Donor Locator Service in the Department of
                             Health and Human Services for the purpose of locating individuals to
                             inform donors of the possible need for medical care and treatment relating
                             to acquired immune deficiency syndrome.

                             6103(m)(7)–Disclosures of taxpayers’ mailing addresses can be made to
                             SSA for the purpose of mailing the Personal Earnings and Benefit Estimate
                             Statements (Social Security account statements).

IRC Section 6103(n)–         6103(n)–Disclosures of taxpayer information can be made to contractors
                             to the extent necessary and for the various activities and services related
Disclosures to Contractors   to tax administration. These disclosures can only be made by the Treasury
                             Department, a state tax agency, SSA, and the Department of Justice and in
                             accordance with regulations prescribed by the IRS Commissioner.



                             Page 29                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                                        Appendix II
                                        IRC Section 6103 Subsections That Authorize IRS to Disclose Taxpayer Information Subject
                                        to Safeguarding Requirements




IRC Section 6103(o)–                    6103(o)(1)–Disclosures of taxpayer information can be made to ATF for
                                        administering certain taxes on alcohol, tobacco, and firearms.
Disclosures With Respect to
Certain Taxes

                                        Tables II.1 and II.2 show, for the agencies we surveyed that received
                                        taxpayer information in 1997 or 1998, the authorization under which they
                                        received the information.


Table II.1: IRC Authorization for Federal Agencies to Receive Taxpayer Information
                                                                         IRC section 6103 subsections
Federal agency                                   6103(d) 6103(f) 6103(h) 6103(i) 6103(j) 6103(l) 6103(m) 6103(o) Other
Central Intelligence Agency                                                                    X
Defense Finance and Accounting Service                                                         X      X
Department of Agriculture                                            X        X                X      X
Department of Commerce                                                                 X       X
Department of Education                                                                               X
Department of Health and Human Services                                                        X
Department of Housing and Urban Development                                                    X      X
Department of the Interior                                                                            X
Department of Justice                                                X        X                X      X     X
Department of Labor                                                           X                X      X            X
Department of State                                                                                                X
Department of Transportation                                                  X                       X            X
Department of the Treasury                                           X        X                X      X     X
Department of Veterans Affairs                                                                 X      X
Equal Employment Opportunity Commission                                                               X
Federal Emergency Management Agency                                                                   X
General Accounting Office                            X       X                X                X
General Services Administration                                                                       X
National Archives and Records Administration                                                          X
National Labor Relations Board                                                                 X
National Science Foundation                                                                           X
Office of Independent Counsel                                        X        X
Office of Personnel Management                                                                 X
Pension Benefit Guaranty Corporation                                                           X
Securities and Exchange Commission                                                             X      X
Small Business Administration                                                                  X
Social Security Administration                                                X                X      X
United States Marine Corps                                                                            X
U.S. Information Agency                                                                               X
U.S. Peace Corps                                                     X        X                       X
U.S. Postal Service                                                           X
                                        Source: IRS’ Office of Safeguards and agencies’ responses to our survey.




                                        Page 30                                  GAO-GGD-99-164 Safeguarding Taxpayer Information
                                         Appendix II
                                         IRC Section 6103 Subsections That Authorize IRS to Disclose Taxpayer Information Subject
                                         to Safeguarding Requirements




Table II.2: IRC Authorization for State and Local Agencies to Receive Taxpayer Information
                                                                          IRC section 6103 subsections
State agency                                        6103(d) 6103(f) 6103(h) 6103(I) 6103(j) 6103(l) 6103(m) 6103(o) Other
Alabama Department of Human Resources                                                           X
California State Controller’s Office                   X
California Department of Social Services                                                        X
California Franchise Tax Board                         X
Connecticut Department of Social Services                                                       X
Delaware Department of Health & Social Services                                                 X
District of Columbia Office of Corporate Counsel                                                               X
District of Columbia Office of Tax & Revenue           X
Florida Department of Children & Family Services                                                X
Georgia Department of Human Resources                                                           X
Georgia Department of Revenue                          X
Illinois Department of Human Services                                                           X
Illinois Department of Public Aid                                                               X
Kansas Department of Revenue                           X
Kentucky Cabinet for Families & Children, Child                                                 X
Support Enforcement Agency
Kentucky Cabinet for Families & Children, Welfare                                               X
Division
Louisiana Department of Health & Hospitals                                                      X
Louisiana Department of Revenue                        X
Massachusetts Department of Transitional                                                        X
Assistance
Mississippi Division of Medicaid                                                                X
Missouri Department of Revenue                         X                                                              X
Montana Department of Revenue                          X
Nebraska Department of Health & Human                                                           X
Services, Child Support Enforcement
New Jersey Department of Human Services                                                         X
New Mexico Human Services Department                                                            X
Nevada Department of Human Resources                                                            X
North Dakota Office of State Tax Commissioner          X
Rhode Island Department of Administration              X
Texas Comptroller of Public Accounts                   X
Virginia Department of Social Services, Division of                                             X
Child Support Enforcement
Virginia Department of Social Services                                                          X
Vermont Department of Taxes                            X
Wisconsin Department of Revenue                        X
West Virginia Department of Tax and Revenue            X
                                         Source: Agencies’ responses to our survey.




                                         Page 31                                  GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix III

Overview of Information Provided to Federal
Agencies Under the Provisions of IRC Section
6103
                                          Internal Revenue Code (IRC) section 6103 allows the Internal Revenue
                                          Service (IRS) to disclose taxpayer information to federal agencies and
                                          authorized employees of those agencies. Disclosure of taxpayer
                                          information is to be used strictly for the purposes outlined by federal
                                          statutes and in accordance with IRS policy and procedures.

                                          IRC sections 6103(h) and 6103(i) allow IRS to disclose taxpayer
                                          information to the employees and officers of any federal agency for tax
                                          administration purposes as well as for the administration of federal laws
                                          not related to tax. Under 6103(h), IRS can disclose information to the
                                          Department of Justice for federal tax investigations and to the Social
                                          Security Administration (SSA) and Railroad Retirement Board (RRB) for
                                                                          1
                                          purposes of withholding taxes. IRC section 6103(i) allows the disclosure
                                          of information for use in federal nontax criminal investigations and other
                                          activities not related to tax administration. Table III.1 shows some types of
                                          taxpayer information disclosed and the disclosure format and frequency.

Table III.1: Disclosure to Federal
Agencies for Tax Administration and the   Taxpayer information provided                                            Format    Frequency
Administration of Federal Laws Not        Criminal tax investigation reports and taxpayer listings                 Hard copy Upon request
Related to Tax Administration             Individual and business income tax return information                    Hard copy Upon request
                                          (individual and business master files and return transaction
                                          files)
                                          Individual and corporate income tax, estate tax, partnership,            Hard copy Upon request
                                          fiduciary, excise tax, and exempt organization audit reports
                                          Payer and payee information from W-2s, K-1s, Form 1099s,                 Hard copy Upon request
                                          and Form 5498
                                          Taxpayers’ mailing addresses                                             Hard copy Upon request
                                          Legend
                                          Form 1099s Interest, dividend, and miscellaneous income statements
                                          Form 5498 Individual Retirement Arrangement Information
                                          K-1s Beneficiary’s, partnership’s, or shareholder’s share of income, deductions, credits, etc.
                                          W-2s Wage and tax statements
                                          Source: IRS’ Office of Safeguards.


                                          IRC section 6103(j) allows IRS to disclose taxpayer information to the
                                          Departments of Agriculture and Commerce and to officers and employees
                                          of the Department of the Treasury for statistical use. Table III.2 shows the
                                          types of taxpayer information disclosed and the disclosure format and
                                          frequency.




                                          1
                                          Specifically, section 6103(h)(5) permits the disclosure of taxpayer information to SSA and RRB.
                                          According to IRS data, no disclosures have been made under this provision for numerous years.




                                          Page 32                                    GAO-GGD-99-164 Safeguarding Taxpayer Information
                                     Appendix III
                                     Overview of Information Provided to Federal Agencies Under the Provisions of IRC Section
                                     6103




Table III.2: Disclosure to Federal
Agencies for Statistical Purposes    Taxpayer information provided                                                  Format       Frequency
                                     Information returns master file (SSN, name, address)                           Tape         Annually
                                     Individual master file extract (SSN, name, address, marital status,            Tape         Annually
                                     exemptions, dependents, income, and return type)
                                     Corporate income tax return information (name, address, EIN, net               Tape         Annually
                                     income or loss, assets, and gross receipts)
                                     Employment tax returns records (EIN, total compensation paid,                  Tape         Weekly
                                     taxable period, number of employees, total taxable wages paid,
                                     and tip income)
                                     Business master file entity (EIN, name, address, filing                        Tape         Monthly,
                                                                                                                                          a
                                     requirements, accounting period, and employment code)                                       annually
                                     Weekly economic data and economic and agriculture census                       Tape         Annually
                                     (SSN, EIN, address, receipts, accounting period, wages, interest,
                                     assets, and cost of goods)
                                     Information from application for EIN                                           Tape         Monthly,
                                                                                                                                          b
                                                                                                                                 annually
                                     Statistics of income corporate sample (credits, balance sheet,                 Tape         Annually
                                     income statement, and tax items)
                                     Legend
                                     EIN Employee identification number
                                     SSN Social Security number
                                     a
                                      Selected entity data such as EIN, name, address, etc., are disclosed annually. Changes in business
                                     status, such as those resulting from births, deaths, etc., are disclosed monthly.
                                     b
                                     Monthly disclosures are made to SSA, and with IRS approval, SSA can disclose information to
                                     Census annually.
                                     Source: IRS’ Office of Safeguards.


                                     Under IRC section 6103(l), disclosures can be made to certain federal
                                                                                                2
                                     agencies for purposes other than for tax administration. Disclosure of
                                     taxpayer information can be made to any federal agency administering a
                                                             3
                                     federal loan program, as well as to those federal agencies administering
                                     certain programs under the Social Security Act, the Food Stamp Act of
                                     1977, title 38 U.S.C., or certain other housing assistance and benefits
                                     programs. Disclosures can also be made to SSA, RRB, the Pension Benefit
                                     Guaranty Corporation, and the Department of Labor for the administration
                                     of the Employee Retirement Income Security Act of 1974 and for carrying
                                     out a return processing program.

                                     The Veterans Health Administration, Veterans Benefits Administration, and
                                     Department of Housing and Urban Development also receive federal
                                     taxpayer information from SSA and IRS under the authority of IRC section

                                     2
                                      Sections 6103(l)(6), (7), and (8) also allow disclosure of taxpayer information to state and local
                                     agencies for child support and welfare purposes.
                                     3
                                     Disclosure is limited to information regarding whether or not an applicant for a loan has a tax
                                     delinquent account.




                                     Page 33                                     GAO-GGD-99-164 Safeguarding Taxpayer Information
                                       Appendix III
                                       Overview of Information Provided to Federal Agencies Under the Provisions of IRC Section
                                       6103




                                       6103(l)(7) for use in administering programs authorized under title 38 and
                                       certain housing assistance programs. SSA also receives unearned income
                                       information from IRS, which it uses in administering the Supplemental
                                       Security Income program.

                                       Additionally, IRC section 6103(l) allows disclosure by SSA to the Health
                                       Care Financing Administration and to certain other agencies for
                                       determining eligibility for, or the correct amount of, benefits. Table III.3
                                       shows the types of taxpayer information disclosed and the disclosure
                                       format and frequency.

Table III.3: Disclosure to Federal
Agencies for Purposes Other Than Tax   Taxpayer information provided                                      Format         Frequency
Administration                         Form 8300 information                                              Hard copy      Upon request
                                       Tax liability and delinquency information                          Hard copy      Upon request
                                       W-2s and W-3s (wage data submitted by employers)                   Electronic,    Upon request
                                                                                                          hard copy
                                       Unearned income from various Form 1099s                            Tape           Monthly
                                       Wages, self-employment earnings and retirement income              Tape,          Monthly,
                                                                                                          electronic     annually
                                       SSN, filing and marital status, taxpayer name, addresses,          Tape,          Upon request
                                       employee EINs                                                      electronic
                                       Individual income tax return information (SSN, filing status,      Tape           Monthly
                                       amount and nature of income, number of dependents)
                                       Legend
                                       EIN Employee identification number
                                       Form 1099s Interest, dividend, and miscellaneous income statements
                                       Form 8300 Report of Cash Payments Over $10,000 Received in a Trade or Business
                                       SSN Social Security number
                                       W-2s and W-3s Wages and tax statements
                                       Note: Data regarding Social Security payments are not considered taxpayer information because they
                                       are derived from SSA records. Wage data obtained from W-2s and W-3s and self-employment
                                       income and other income data received from IRS are taxpayer information.
                                       Source: IRS’ Office of Safeguards.


                                       IRC section 6103(m) allows the disclosure of taxpayer information for
                                       collecting federal claims and for locating registered blood donors. All
                                       federal agencies can receive the information for collection of claims, such
                                       as student loans, under the Federal Claims Collection Act. The Department
                                       of Health and Human Services receives the taxpayer information as part of
                                       its Blood Locator Service, for the purpose of locating donors. IRC section
                                       6103(o) allows disclosures of the collection of certain taxes on alcohol,
                                       tobacco, and firearms. Table III.4 shows the types of taxpayer information
                                       disclosed and the disclosure format and frequency.




                                       Page 34                                  GAO-GGD-99-164 Safeguarding Taxpayer Information
                                          Appendix III
                                          Overview of Information Provided to Federal Agencies Under the Provisions of IRC Section
                                          6103




Table III.4: Disclosure to Federal
Agencies for Collecting Certain Federal   Taxpayer information provided                                  Format       Frequency
Claims and Taxes and for Locating         Social Security number, taxpayer name, address                 Tape         Weekly
Donors                                    Taxpayer name, address                                         Electronic   Weekly
                                          Source: IRS’ Office of Safeguards.




                                          Page 35                              GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix IV

Overview of Information Provided to State
and Local Agencies Under the Provisions of
IRC Section 6103
                                      Under the provisions of Internal Revenue Code (IRC) section 6103(d), the
                                      Internal Revenue Service (IRS) is authorized to make disclosures for state
                                      tax administration purposes to state tax officials and state and local law
                                      enforcement agencies. In general, taxpayer information can be disclosed to
                                      any state agency, body, or commission, or its legal representative for the
                                      administration of state tax laws, including for locating any person who
                                      may be entitled to a state income tax refund. Table IV.1 shows some of the
                                      types of taxpayer information disclosed and the disclosure format and
                                      frequency.

Table IV.1: Disclosure to State Tax
Officials and State and Local Law     Taxyer information provided                                           Format         Frequency
Enforcement Agencies                  Employment tax audit reports pertaining to Form 940 -                 Hard copy      Quarterly
                                      Employers Annual Unemployment Tax Return
                                      Audit results and information regarding reclassification of           Hard copy      Quarterly
                                      independent contractor to employee status
                                      Individual and corporate income tax, estate tax, partnership,         Hard copy      Monthly
                                      fiduciary, excise tax, and exempt organization audit reports
                                      Late-filed income tax returns with a balance due                      Hard copy      Quarterly
                                      Criminal tax investigation reports and taxpayer listing               Hard copy      Quarterly
                                      Dyed diesel fuel inspection reports                                   Hard copy      Quarterly
                                      Business tax return information (master file and return               Tape           Annually
                                      transaction file)
                                      Form 1040 information and third-party information returns             Tape           Quarterly
                                      (underreporter program file)
                                      Audit and appeals information (audit adjustments and                  Tape           Annually
                                      appellate level results)
                                      Individual income tax return information (master file and             Tape           Annually
                                      return transaction file)
                                      Database of IRS third-party information returns (Form                 Tape           Annually
                                      1099s, W-2s, K-1s)
                                      Payer and payee information from W-2s, K-1s, Form 1099s,              Tape           Monthly
                                      and Form 5498
                                      Listing of taxpayers who did not itemize on their federal             Tape           Annually
                                      income tax return
                                      Information on the taxpaying population of a given state              Tape           Upon request
                                      Taxpayers mailing addresses                                           Tape           Weekly
                                      Legend
                                      Form 940 Employers Annual Unemployment Tax Return
                                      Form 1040 U.S. Individual Income Tax Return
                                      Form 1099s Interest, dividend, and miscellaneous income statements
                                      Form 5498 Individual Retirement Arrangement Information
                                      K-1s Beneficiary’s, partnership’s, and shareholder’s share of income, deductions, credits, etc.
                                      W-2s Wage and tax statement
                                      Note: Agencies are also authorized to make specific requests for tax information for a taxpayer they
                                      are working with. This may include IRS examination and collection files, wage and income
                                      information, bankruptcy files, and filing requirements for tax administration purposes.
                                      Source: IRS’ Office of Safeguards.


                                      In addition to the types of taxpayer information shown in table IV.1, in
                                      some states, the Attorney General’s Office receives inheritance tax and



                                      Page 36                                    GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix IV
Overview of Information Provided to State and Local Agencies Under the Provisions of IRC
Section 6103




estate tax information from IRS, including tax credits and closing letters to
taxpayers. This type of taxpayer information is disclosed quarterly on hard
copy or magnetic tape.

In certain states, such as Texas, that have no state income tax, the State
Comptroller’s Office—which is responsible for collecting state sales and
inheritance taxes—receives taxpayer information from IRS. The taxpayer
information consists of estate and gift tax audit reports and income
information, such as Form 1099s, on hard copy or magnetic tape, and
transcripts of business returns. This information is received on an ongoing,
as well as on a case-by-case, basis. The state of Wyoming also does not
have an income tax, but its department of transportation enforces fuel tax
laws. IRS provides Wyoming with fuel tax adjustment results on hard copy
and only upon specific request.

Some cities, such as St. Louis and Kansas City, levy an income-based tax
on their residents and those taxpayers that work in the city. These cities
receive income tax audit reports from IRS when adjustments are made to
wages or self-employment income. This information is received quarterly
on hard copy.

IRC section 6103(l)(6) allows IRS to disclose taxpayer information to state
                                               1
and local child support enforcement agencies. In general, taxpayer
information can be disclosed to any state or local child support
enforcement agency for establishing and collecting child support
obligations, including any procedure for locating individuals owing such
obligations.

IRC section 6103(l)(8) permits the Social Security Administration (SSA) to
disclose certain taxpayer information to state and local child support
enforcement agencies. However, section (l)(6) also permits the disclosure
of the same information, and more, to federal, state, and local agencies.
Currently, SSA is not making any disclosures of taxpayer information to
state and local child support enforcement agencies under 6103 section
(l)(8), but is making disclosures to the federal Office of Child Support
Enforcement (OCSE) on behalf of IRS. OCSE provides the names and, if
known, Social Security numbers. SSA performs computer matches and
provides Social Security numbers from SSA records, the last known
address from SSA records, and the address of the last known employer
1
 IRC section 6103(l)(6) also permits IRS to disclose certain taxpayer information to federal agencies,
such as the Office of Child Support Enforcement—a federal agency that oversees child support
enforcement at the federal level and acts as a coordinator for most programs involved with child
support enforcement.




Page 37                                    GAO-GGD-99-164 Safeguarding Taxpayer Information
                                            Appendix IV
                                            Overview of Information Provided to State and Local Agencies Under the Provisions of IRC
                                            Section 6103




                                            from W-2 and W-3 taxpayer information. OCSE then provides the
                                            information to the state and local child support enforcement agencies.
                                            Table IV.2 shows the other types of taxpayer information disclosed and the
                                            disclosure format and frequency.

Table IV.2: Disclosure to State and Local
Child Support Enforcement Agencies          Taxpayer information provided                                     Format                      Frequency
                                            Taxpayer addresses                                                Tape                        Weekly
                                            Individual income tax return information (Social Security number, Tape                        Monthly
                                            filing status, amount and nature of income, number of dependents)
                                            Source: IRS’ Office of Safeguards.


                                            Under IRC section 6103(l)(7), disclosures can be made to state and local
                                            agencies administering certain programs under the Social Security Act, the
                                            Food Stamp Act of 1977, title 38 U.S.C., or certain other housing assistance
                                            and benefits programs. The Deficit Reduction Act of 1984 required state
                                            public assistance agencies administering certain programs under the
                                                                  2                              3
                                            Social Security Act or the Food Stamp Act of 1977 to establish an income
                                            eligibility verification system. These agencies receive federal taxpayer
                                            information under the authority of the IRC 6103(l)(7) from SSA and IRS to
                                            be used solely for the purpose of, and to the extent necessary in,
                                            determining eligibility for, or the correct amount of benefits,under, the
                                            specified programs. The agencies receive wage and self-employment
                                            information from SSA through electronic transmissions and unearned
                                            income information (Form 1099s) from IRS through magnetic tapes.

                                            Table IV.3 shows the type of information disclosed and the disclosure
                                            format and frequency.

Table IV.3: Disclosure to State and Local
Welfare Agencies                            Taxpayer information provided                                     Format                     Frequency
                                            Taxpayer addresses                                                Tape                       Weekly
                                            Individual income tax return information (Social Security number, Tape                       Monthly
                                            filing status, amount and nature of income, number of dependents)
                                            Note: Data from SSA regarding Social Security payments are not considered taxpayer information
                                            because they are derived from SSA records. Wages obtained from W-2s/W-3s and self-employment
                                            income and other income data received from IRS are taxpayer information.
                                            Source: IRS’ Office of Safeguards.




                                            2
                                             Temporary Assistance for Needy Families and Medicaid are the programs commonly administered by
                                            state public assistance agencies.
                                            3
                                             The Personal Responsibility and Work Opportunity Reconciliation Act of 1996 states that
                                            “Notwithstanding any other provision of law, in carrying out the food stamp program, a State agency
                                            shall not be required to use an income and eligibility or an immigration status verification system . . . .”




                                            Page 38                                      GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix V

Possible Uses for Federal Taxpayer Data
Provided to Federal, State, and Local
Agencies
                                           Internal Revenue Code (IRC) section 6103 is very specific about the
                                           authorized use of any federal taxpayer data. During our study, Internal
                                           Revenue Service (IRS) officials and other federal and state officials
                                           indicated that there are many possible authorized uses for tax returns and
                                           return information in accordance with IRC section 6103 requirements.
                                           Agency officials stated that taxpayer information is used for tax
                                           administration and law enforcement purposes, for the administration of
                                           federal laws not related to tax administration, for statistical uses, for
                                           establishing and collecting child support obligations, and for determining
                                           eligibility for benefits. Table V.1 outlines some of the specific uses of
                                           federal taxpayer information.

Table V.1: Possible Uses of Taxpayer
Information by Federal, State, and Local   Agency            Possible use
Agencies                                   Federal           Tax administration and tax withholding purposes
                                                             Criminal investigation and litigation
                                                             Reporting criminal activities
                                                             Judicial or administrative procedures
                                                             Enforce federal criminal or civil statutes
                                                             Locate fugitives from justice
                                                             Conducting government program audits
                                                             Statistical purposes
                                                             Offsets
                                                             Storing and maintaining data for IRS
                                                             Administration of welfare and public assistance programs
                                                             Collection and enforcement of child support
                                           State and local   Verify taxpayer filed original or amended return and initiate state audit
                                                             Initiate state penalty investigation
                                                             Audit selection
                                                             Provide listing of alleged violators of criminal tax laws
                                                             Verify or update addresses
                                                             Skip tracing
                                                             Sales tax matching
                                                             Identify nonfilers
                                                             Determine discrepancies in reporting of income
                                                             Identify S corporation shareholders who avoid state tax by taking
                                                             dividends in lieu of wages
                                                             Statistical and revenue forecasting
                                                             Identify payers and employers not reporting to state and determine
                                                             underreporters
                                                             Identify partnerships with changes in number of partners to detect
                                                             possible sale of partnership interest
                                                             Compare officers’ salaries and total wages paid on corporate returns to
                                                             withholding tax filed
                                                             Compare federal tax withheld to state tax withheld
                                                             Locate delinquent taxpayers
                                                             Identify out-of-state income
                                                                                                                           (Continued)




                                           Page 39                              GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix V
Possible Uses for Federal Taxpayer Data Provided to Federal, State, and Local Agencies




Agency               Possible use
State and local      Motor fuels, estate, and gift tax enforcement
                     Unearned income matching
                     Provide income information for collection purposes
                     Administration of welfare and public assistance programs
                     Offsets
                     Collection and enforcement of child support
                     Civil and criminal investigation and litigation
Source: IRS’ Office of Safeguards.




Page 40                                GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix VI

Summary of Tax Information Security
Guidelines for Federal, State, and Local
Agencies
                      As a condition of receiving taxpayer information, agencies must show, to
                      the satisfaction of the Internal Revenue Service (IRS), that their policies,
                      practices, controls, and safeguards adequately protect the confidentiality
                      of the taxpayer information they receive from IRS. The agencies must
                      ensure that the information is used only as authorized by statute or
                      regulation and disclosed only to authorized persons. IRS has implemented
                      specific guidelines that all federal, state, and local agencies are to follow to
                      properly safeguard taxpayer information. These guidelines, outlined in IRS
                      Publication 1075, Tax Information Security Guidelines for Federal, State
                      and Local Agencies, are summarized below.

                      Federal, state, and local agencies, and other authorized recipients, may
Requesting Taxpayer   request taxpayer information from IRS in the form of a written request
Information           signed by the head of the requesting agency or other authorized official.
                      IRS also requires that a formal agreement—a Safeguard Procedures
                      Report—be provided by the agency that specifies the procedures
                      established and used by the agency to prevent unauthorized access and
                      use and describes how the information will be used upon receipt. The
                      Safeguard Procedures Report should be submitted to IRS at least 45 days
                      before the scheduled or requested receipt of taxpayer information.

                      Any agency that receives taxpayer information for an authorized use under
                      Internal Revenue Code (IRC) section 6103 may not use the information in
                      any manner or for any purpose not consistent with that authorized use. If
                      an agency needs federal tax information for a different authorized use
                      under a different provision of IRC section 6103, a separate request under
                      that provision is necessary. An unauthorized secondary use is specifically
                      prohibited and may result in discontinuation of disclosures to the agency
                      and in the imposition of civil or criminal penalties on the responsible
                      officials.

                      Before granting agency officers and employees access to taxpayer
                      information, officers and employees should certify that they understand
                      security procedures and instructions requiring their awareness and
                      compliance. Employees should be required to maintain their authorization
                      to access taxpayer information through annual recertification. As part of
                      the certification and at least annually, employees should be advised of the
                                                                   1
                      provisions of IRC 7213(a), 7213A, and 7431. Agencies should make officers
                      and employees aware that disclosure restrictions and the penalties apply
                      even after employment with the agency has ended.


                      1
                          IRC sections that prescribe civil and criminal penalties for unauthorized inspection or disclosure.




                      Page 41                                        GAO-GGD-99-164 Safeguarding Taxpayer Information
                Appendix VI
                Summary of Tax Information Security Guidelines for Federal, State, and Local Agencies




                Taxpayer information may be obtained by state tax agencies from IRS only
                to the extent the information is needed, and is reasonably expected to be
                used, for state tax administration. Some state disclosure statutes and
                administrative procedures permit access to state tax files by other
                agencies, organizations, or employees not involved in tax matters. IRC
                6103(d) does not permit access to taxpayer information for purposes other
                than for state tax administration.

                State and local tax agencies are not authorized to furnish taxpayer
                information to other state agencies, tax or nontax, or to political
                subdivisions, such as cities or counties, for any purpose, including tax
                administration. State and local tax agencies may not furnish taxpayer
                information to any other states, even where agreements have been made,
                informally or formally, for the reciprocal exchange of state tax
                information. Also, nongovernment organizations, such as universities or
                public interest organizations performing research, cannot have access to
                taxpayer information.

                Statutes that authorize disclosure of taxpayer information do not authorize
                further disclosures. Unless IRC section 6103 provides for further
                disclosures by the agency, the agency cannot make such disclosures. Each
                agency must have its own exchange agreement with IRS or with the Social
                Security Administration (SSA). When an agency is receiving data under
                more than one section 6103 authorization, each exchange or release of
                taxpayer information must have a separate agreement.

                An agency’s records of the taxpayer information it requests should include
                some account of the result of its use or why the information was not used.
                If an agency receiving taxpayer information on a continuing basis finds it is
                receiving information that, for any reason, it is unable to utilize, it should
                contact IRS to modify the request.

                Federal, state, and local agencies authorized under IRC section 6103 to
Recordkeeping   receive taxpayer information are required by IRC section 6103 (p)(4)(A) to
Requirements    establish a permanent system of standardized records of requests made by
                or to them for disclosure of the information. The records are to be
                maintained for 5 years or for the applicable records control schedule,
                whichever is longer.

                When taxpayer information is received in electronic form, authorized
                employees of the recipient agency must be responsible for securing
                magnetic tapes or cartridges before processing and ensuring that the
                proper acknowledgment form is signed and returned to IRS. Tapes



                Page 42                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                 Appendix VI
                 Summary of Tax Information Security Guidelines for Federal, State, and Local Agencies




                 containing federal taxpayer information, any hard-copy printout of a tape,
                 or any file resulting from the processing of a tape is to be recorded in a log
                 that identifies (1) date received; (2) reel or cartridge control number
                 contents; (3) number of records; (4) movement; and (5) if disposed of, the
                 date and method of disposition.

                 Taxpayer information, other than that in electronic form, must be
                 maintained by (1) taxpayer name; 2) tax year(s); (3) type of tax return or
                 return information; (4) reason for the request; (5) date requested; (6) date
                 received; (7) exact location of the taxpayer information; (8) who has had
                 access to the data; and (9) if disposed of, the date and method of
                 disposition.

                 If the agency has the authority to make further disclosures, information
                 disclosed outside the agency must be recorded on a separate list that
                 reflects to whom the disclosure was made, what was disclosed, and why
                 and when it was disclosed.

                 IRS has categorized taxpayer and privacy information as high-security
Secure Storage   items. Security for a document, item, or an area may be provided by locked
                 containers of various types, vaults, locked rooms, locked rooms with
                 reinforced perimeters, locked buildings, guards, electronic security
                 systems, fences, identification systems, and control measures. The
                 required security for taxpayer information received depends on the
                 facility, the function of the agency, how the agency is organized, and what
                 equipment is available.

                 Agencies receiving taxpayer information are required to establish a
                 uniform method of protecting data and items that require safeguarding.
                 The Minimum Protection Standards System, which is utilized by most
                 agencies, has been designed to provide agencies with a basic framework of
                 minimum-security requirements. Since some agencies may require
                 additional security measures, they should analyze their individual
                 circumstances to determine the security needs at their facility.

                 Care must be taken to deny access to areas containing taxpayer
                 information during normal working hours. This can be accomplished by
                 restricted areas, security rooms, or locked rooms. In addition, taxpayer
                 information in any form (computer printout, photocopies, tapes, notes,
                 etc.) must be protected during nonworking hours. This can be done
                 through a combination of methods, including a secured or locked
                 perimeter or secured area.




                 Page 43                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                        Appendix VI
                        Summary of Tax Information Security Guidelines for Federal, State, and Local Agencies




                        When it is necessary to move taxpayer information to another location,
                        plans must be made to properly protect and account for all of the
                        information. Taxpayer information must be in locked cabinets or sealed
                        packing cartons while in transit. Accountability should be maintained to
                        ensure that cabinets or cartons do not become misplaced or lost.

                        The handling of taxpayer information and tax-related documents must be
                        such that the documents do not become misplaced or available to
                        unauthorized personnel. Only those employees who have a need to know
                        and to whom disclosures may be made under the provisions of the statute
                        should be permitted access to information.

                        In the event that taxpayer information is hand-carried by an individual in
                        connection with a trip or in the course of daily activities, it must be kept
                        with that individual and protected from unauthorized disclosure.

                        Data stored and processed by computers and magnetic media should be
                        physically secured and controlled in a restricted access area. If the
                        confidentiality of the taxpayer information can be adequately protected,
                        alternative work sites, such as employees’ homes or other nontraditional
                        work sites, can be used. Despite location, taxpayer information remains
                        subject to the same safeguard requirements and the highest level of
                        attainable security.

                        Agencies are required by IRC 6103(p)(4)(C) to restrict access to taxpayer
Restricting Access to   information only to persons whose duties or responsibilities require
Taxpayer Information    access. Taxpayer information should be clearly labeled “federal tax
                        information” and handled in such a manner that it does not become
                        misplaced or available to unauthorized personnel.

                        Access to taxpayer information must be strictly on a need-to-know basis.
                        Information must never be indiscriminately disseminated, even within the
                        recipient agency. Agencies must evaluate the need for taxpayer
                        information before the data are requested or disseminated.

                        An employee’s background and security clearance should be considered
                        when designating authorized personnel. No person should be given more
                        taxpayer information than is needed to perform his or her duties.

                        To avoid inadvertent disclosures, it is recommended that taxpayer
                        information be kept separate from other information to the maximum
                        extent possible. In situations where physical separation is impractical, the
                        file should be clearly labeled to indicate the taxpayer information is



                        Page 44                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                      Appendix VI
                      Summary of Tax Information Security Guidelines for Federal, State, and Local Agencies




                      included and the file should be safeguarded. Any commingling of data on
                      tapes should be avoided.

                      Processing of taxpayer information in magnetic media format, microfilms,
                      photo impressions, or other formats should be performed by agency-
                      owned and -operated facilities, or contractor or agency shared facilities.

                      All systems that process taxpayer information must meet the provisions of
                      OMB Circular A-130, appendix III and Treasury Directive Policy 71-10. The
                      Department of Defense Trusted Computer System Evaluation Criteria
                      (DOD 5200.28-STD), commonly called the “Orange Book,” should be used
                      as the basis for establishing systems that process taxpayer information.

                      All computer systems processing, storing, and transmitting taxpayer
                      information must have computer access protection controls (controlled
                      access protection level C-2). To meet C-2 requirements, the operating
                      security features of the system must have (1) a security policy, (2)
                      accountability, (3) assurance, and (4) documentation. Agencies should
                      assign overall responsibility to an individual (security officer) who is
                      knowledge about information technology and applications. This individual
                      should be familiar with technical controls used to protect the system from
                      unauthorized entry.

                      The two acceptable methods of transmitting taxpayer information over
                      telecommunications devices are encryption and the use of guided media.
                      Encryption involves the altering of data objects in a way that the objects
                      become unreadable until deciphered. Guided media involves the use of
                      protected microwave transmissions or the use of end-to-end fiber optics.

                      Connecting the agency’s computer system to the Internet will require
                      “firewall” protection to reduce the threat of intruders accessing data files
                      containing taxpayer information.

                      Agencies receiving taxpayer information from IRS are also required to
                      conduct internal inspections. The purpose of these inspections is to ensure
                      that adequate safeguard and security measures are maintained. Agencies
                      should submit copies of these inspections to IRS with their annual
                      Safeguard Activity Report.

                      IRC section 6103 (p)(4)(E) requires agencies receiving taxpayer
Safeguard Reporting   information to file a report that describes the procedures established and
and Review            used by the agency for ensuring the confidentiality of the information
Requirements          received from IRS. The Safeguard Procedures Report is a record of how



                      Page 45                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                       Appendix VI
                       Summary of Tax Information Security Guidelines for Federal, State, and Local Agencies




                       taxpayer information is to be processed and protected from unauthorized
                       disclosure. Agencies should submit a new Safeguard Procedures Report
                       every 6 years or whenever significant changes occur in their safeguard
                       program.

                       Agencies must file an annual Safeguard Activity Report, which advises IRS
                       of changes to the procedures or safeguards described in the Safeguard
                       Procedures Report. The Safeguard Activity Report also (1) advises IRS of
                       any future actions that will affect the agency’s safeguard procedures, (2)
                       summarizes the agency’s current efforts to ensure the confidentiality of the
                       taxpayer information, and (3) certifies that the agency is protecting
                       taxpayer information in accordance with IRC section 6103 requirements
                       and the agency’s own security requirements.

                       A safeguard review is an on-site evaluation of the use of federal tax
                       information received from IRS and the measures used by the receiving
                       agency to protect that data. IRS conducts on-site reviews of agency
                       safeguards regularly. Reviews of state and local agencies are conducted by
                       IRS District Disclosure personnel. Reviews of federal agencies and state
                       welfare agencies are conducted by the IRS Office of Governmental Liaison
                       and Disclosure, Office of Safeguards.

                       IRS safeguard reviews cover the six requirements of IRC section
                       6103(p)(4), which are (1) recordkeeping, (2) secure storage, (3) restricting
                       access, (4) other safeguards, (5) reporting requirements, and (6) disposal.

                       Agencies are required by IRC section 6103(p)(4)(F) to take certain actions
Disposal of Taxpayer   upon completion of their use of taxpayer information in order to protect
Information            its confidentiality. Agency officials and employees should either return the
                       information, and any copies, or make the information “undisclosable” and
                       include in the agency’s annual report a description of the procedures used.
                       If the agency elects to return the information, a receipt process should be
                       used. Taxpayer information should never be provided to agents or
                       contractors for disposal unless authorized by the IRC.




                       Page 46                              GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix VII

Examples of Deficiencies Found During IRS’
Reviews of Agencies’ Safeguarding
Procedures
                The Internal Revenue Service (IRS) routinely conducts on-site reviews of
                agencies’ safeguard procedures to ensure that the procedures fulfill IRS
                requirements for protecting taxpayer information from unauthorized
                disclosure. After completing the review, IRS prepares a report of its
                findings and recommendations and sends the report to the agency for
                comment. Upon receiving the agency’s comments, IRS annotates its report
                to indicate whether it accepts responses as correcting any discrepancies
                reported.

                The following excerpts are examples of the findings, discussions,
Case Examples   recommendations, agency responses, and IRS comments found in recent
                IRS reports of safeguard reviews.

Case One
Finding         The agency permitted a number of contractors to have access to return
                information. Some of the contractors are authorized to have access, while
                others are not. Also, when contractor access was authorized, the agency
                was not always including “safeguarding” clauses in all contracts.

Discussion      The agency uses hundreds of contractors. Internal Revenue Code (IRC)
                section 6103 generally does not authorize contractors to have access to
                federal taxpayer information. Certain exceptions exist, such as section
                6103(n), which permits contracts for tax administration purposes, and
                section 6103(m)(2) and (7), which permit disclosures for the collection of
                federal debt and for the mailing of personal earnings and benefits estimate
                statements, respectively. However, there is not an exception for the
                purposes of administering the agency responsibilities under the act, nor for
                most other IRC section 6103 authorized disclosures.

                The agency uses contractors for the printing of the personal earnings and
                benefits estimate statements and has included a “safeguarding” clause,
                which requires that the contractor’s employees be made aware of the
                taxpayer information, its restricted access and use, and the penalty
                provisions for unauthorized access or use. The agency also uses a
                contractor for developing microfilm with taxpayer information. This
                contractor is authorized access, but the contract does not contain
                “safeguarding” language relating to taxpayer information. It does have
                confidential clauses relating to the Privacy Act provisions.

                The agency has also contracted out for the disposal of the paper Form W-
                2s and W-3s received. An earlier contract allowed for the contractor to
                shred the material to 2-inch strips or less, which does not meet the IRS



                Page 47                        GAO-GGD-99-164 Safeguarding Taxpayer Information
                    Appendix VII
                    Examples of Deficiencies Found During IRS’ Reviews of Agencies’ Safeguarding Procedures




                    required standard of 5/16-inch or less for shredding. The current contract
                    states that all material will be totally destroyed beyond legibility or
                    reconstruction through shredding, maceration, or pulping. However, a visit
                    to the contractor’s site revealed that the contractor is shredding material,
                    but not always to the original 2-inch requirement. The required
                    “safeguarding” clauses are not in the contract, and the employer is not
                    advising his employees of the confidentiality and penalties associated with
                    accessing taxpayer information.

                    Many other storage, retrieval, and disposal activities are contracted out by
                    the agency. Two units of the agency use contractors to conduct most of
                    the activities at their facilities, where beneficiary files (with taxpayer
                    information) are stored in open boxes. This is also true of the records
                    center that the agency contracts with to store, dispose of, and retrieve
                    millions of beneficiary files. Other units of the agency are also contracting
                    out for disposition of information. IRC section 6103 does not authorize
                    these contractors to have access to taxpayer information, which they do.

Recommendation      In order to comply with IRC section 6103 and with IRS standards, the
                    agency needs to review its use of contractors. When contractors are
                    authorized to have access to taxpayer information, the agency needs to
                    ensure that “safeguarding” clauses are included in the contracts. When
                    contractors are not authorized access to this information, the agency
                    needs to ensure that it is not permitting such access. Specific examples
                    include

                  • adding the safeguarding clauses to the microfilm development contract;
                  • adding the safeguarding clauses to the contract for the disposal of paper
                    return information, mainly W-2s and W-3s;
                  • ensuring that disposal methods meet IRS standards;
                  • developing policies and procedures to ensure that contractors who are not
                    authorized to have access do not have access; and
                  • making units and field offices aware of “unauthorized access” by
                    contractors.

Agency Response     The agency agreed that safeguarding clauses need to be included in
                    contracts when contractors are authorized to have access to taxpayer
                    information and that contractors should not have access unless
                    authorized.

IRS Comment         IRS was still being reviewing this agency’s safeguard report and had not
                    finalized its comments at the time we prepared our report.




                    Page 48                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                      Appendix VII
                      Examples of Deficiencies Found During IRS’ Reviews of Agencies’ Safeguarding Procedures




Case Two
Finding               The recordkeeping system at the agency’s field offices does not meet all of
                      the statutory requirements for tax information accountability.

Discussion            When federal tax returns or return information are received, agencies are
                      required to maintain a record of

                  •   taxpayer name,
                  •   tax year(s),
                  •   type of information,
                  •   reason for request,
                  •   date requested,
                  •   date received,
                  •   exact location of data, and
                  •   who has had access to the data.

                      Further, if and when the data are disposed of, agencies are required to
                      maintain a record of the date and method of disposition.

                      Agency field offices maintain a system of records for tracking documents
                      and evidence obtained during a criminal investigation. Returns and return
                      information are generally placed in an evidence envelope and associated
                      with the case files, which are kept in the office’s filing area. The envelope
                      is annotated as to contents and any additional descriptive information the
                      case agent may write down. The agency’s system of standardized records
                      contained many of the required items listed above, but not all of them.
                      Further, tax documents controlled by the agency’s seizure team unit may
                      not necessarily show who has had access to the information.

Recommendation        Since information used to track returns and return information is
                      dependent upon information furnished by the case agent, the agency
                      should ensure that the agents are aware of the elements required to meet
                      the statutory requirements for tracking federal tax data. Also, the seizure
                      team unit may wish to consider using some type of “charge-out” form to
                      record accesses to tax information.

Agency Response       The agency uses a central recordkeeping system for maintaining all
                      investigative files. The system is outlined in the Federal Register. During
                      IRS’ review, access to information by the IRS team was limited to the
                      federal tax return and return information contained in the evidence
                      envelope, and not to the entire file. Information regarding the taxpayer
                      name, tax year(s), reasons for request, and data requested is contained in



                      Page 49                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                  Appendix VII
                  Examples of Deficiencies Found During IRS’ Reviews of Agencies’ Safeguarding Procedures




                  the case file and supplied to IRS during the request for the information.
                  The date received and type of information is maintained in the evidence
                  log. Access to case information is restricted based on the need-to-know
                  and to individuals having a file on the case. Agency procedures used for
                  controlling access to federal tax return and return information within the
                  seizure team unit are the same procedures used for investigative
                  information. Information is restricted to individuals with a role in the asset
                  forfeiture.

IRS Comment       Along with the agency’s response, the appropriate Federal Register cite
                  was provided. The agency’s response was accepted.

Case Three
Finding           Agency employees that have access to federal tax data are not aware of the
                  criminal and civil penalties that can be imposed for unauthorized
                  disclosure of the data.

Discussion        IRS Publication 1075 requires that, as part of an agency’s employee
                  awareness program, each employee that has access to federal tax data
                  should receive copies of IRC sections 7213(a) and 7431, which describe the
                  criminal and civil penalties applicable to the unauthorized disclosure of
                  federal tax data. In addition, employees must be advised at least annually
                  of these provisions. Personnel that IRS’ review team talked with could not
                  recall receiving copies of the IRC penalty provisions. Employees receive
                  periodic reminders about protecting sensitive information; however, they
                  are not specifically reminded of the provisions of IRC sections 7213(a) and
                  7431.

Recommendation    All employees that are authorized to have access to federal tax data should
                  receive a copy of IRC section 7213(a) and 7431, and they should be
                  reminded at least annually of the criminal and civil penalties that can be
                  imposed under the IRC for the unauthorized disclosure of federal tax data.

Agency Response   Although employees were not specifically aware of the penalties for
                  unauthorized disclosure of federal tax data as contained in the IRC, agency
                  employees knew about the penalties for unauthorized disclosure of
                  information contained in investigative files.

IRS Comment       The revised IRS Publication 1075 now contains penalty provisions in
                  exhibits 3 and 4. Along with the agency response, IRS received a copy of
                  Security Bulletin 96-03 with attachments A-2 and A-3, with instructions that
                  the information in the document be reviewed annually by all personnel



                  Page 50                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                  Appendix VII
                  Examples of Deficiencies Found During IRS’ Reviews of Agencies’ Safeguarding Procedures




                  who have access to tax return and return information provided to the
                  agency by IRS. Observance of Security Bulletin 96-03 will satisfy the IRS
                  requirement.

Case Four
Finding           The last Safeguard Activity Report for this agency was dated June 29,
                  1995—2 years before the review. Also, the report did not contain the
                  information as required in IRS Publication 1075. Additionally, IRS records
                  showed the last Safeguard Procedures Report was submitted in 1988.

Discussion        The statute requires reports to be furnished to IRS describing the
                  procedures established and utilized to ensure the confidentiality of tax
                  data received from IRS. After the submission of the Safeguard Procedures
                  Report, a written Safeguard Activity Report is to be submitted annually to
                  give information regarding the agency’s safeguard program. The Safeguard
                  Procedures Report should be updated as changes occur, and a new report
                  submitted when warranted.

Recommendation    A Safeguard Activity Report must be submitted to IRS no later than
                  January 31 each year. The report must contain the required information as
                  shown in IRS Publication 1075. Because of changes within the agency
                  since 1988, a current Safeguard Procedures Report was requested.

Agency Response   The agency responded that it would comply with all reporting
                  requirements. It assigned its internal audit unit the annual inspection as
                  required by IRS Publication 1075 and planned to submit the Safeguard
                  Activity Report. The agency submitted an updated Safeguard Procedures
                  Report.

IRS Comment       IRS accepted the response, but explained to the agency that the Safeguard
                  Procedures Report was not a “one-time” report and that it should be
                  updated as changes occur and a new one submitted when warranted. IRS
                  requested that a revised version be submitted reflecting changes made as a
                  result of IRS’ review.

Case Five
Finding           The agency’s records did not list some employees who were receiving and
                  using taxpayer information to determine Medicaid eligibility.

Discussion        The Deficit Reduction Act of 1984 requires states to have an income and
                  eligibility verification system for use in administering certain benefits



                  Page 51                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                  Appendix VII
                  Examples of Deficiencies Found During IRS’ Reviews of Agencies’ Safeguarding Procedures




                  programs. State welfare agencies are required to obtain and use unearned
                  income data from IRS and other wage and income data from SSA in the
                  verification process of these benefits programs. Accordingly, IRC section
                  6103 authorizes the disclosure of taxpayer information to federal, state,
                  and local agencies by IRS or SSA for use in the administration of these
                  benefits programs. As a condition of receiving taxpayer information, state
                  welfare agencies are required to maintain a permanent system of
                  standardized records that documents all requests for, receipt of, and
                  disclosures of taxpayer information made to or by the agencies.

                  During its review of this agency, IRS found that, while some employees
                  acknowledged using taxpayer information, the agency’s records did not list
                  the employees as having received taxpayer information. IRS found that
                  taxpayer information, in the form of a printout, was being disclosed to
                  Medicaid technicians who are stationed at various state hospitals. The
                  technicians receive the information to determine Medicaid eligibility for
                  applicants who were hospitalized. Upon receipt from the agency’s
                  mailroom, the printout is accompanied by an acknowledgment form that
                  employees must sign, indicating receipt of taxpayer information. IRS found
                  that technicians were properly signing the acknowledgment form and
                  returning it to the mailroom to indicate receipt of the information.
                  However, the agency’s records did not reflect that taxpayer information
                  was being disclosed from the agency to its employees located at these
                  various state hospitals.

Recommendation    The state hospitals that get taxpayer information should be included so
                  that the agency’s records reflect a complete and accurate listing of all
                  requests, receipts, and disclosures of taxpayer information.

Agency Response   The Medicaid technicians are stationed at the state hospitals at various
                  times. For this reason, any disclosure of taxpayer information to these
                  hospitals will be managed by an agency coordinator. To improve
                  recordkeeping, the coordinator will provide a listing of the disclosures,
                  and this list, along with the agency acknowledgment forms, will be
                  maintained in the standardized records. The General Services Mail and
                  Distribution Manager will ensure that the records are received.

IRS Comment       Agency’s response was acceptable.




                  Page 52                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                                              Appendix VII
                                              Examples of Deficiencies Found During IRS’ Reviews of Agencies’ Safeguarding Procedures




                                              Table VII.1 summarizes some of the other deficiencies found during IRS’
Other Deficiencies                            on-site safeguard reviews of federal, state, and local agencies.


Table VII.1: Examples of Agency Deficiencies Found During IRS’ Safeguard Reviews
General category                   Specific deficiency noted
Maintaining system of standardized No system exists for ensuring that all keys to secure areas are accounted for or that access to keys
records                            is restricted.
                                   No records exist of when taxpayer information was received and destroyed, or of how the
                                   information was destroyed.
Maintaining secure storage         Taxpayer information locked in the supervisor’s office, but not in locked containers or file cabinets,
                                   which would properly protect the information from inadvertent or unauthorized disclosure.
                                   Agency mailroom not secure during nonduty hours, and employees are leaving taxpayer
                                   information unsecured, in unlocked containers.
                                   No reconciliation of transmittal documents to actual receipts and shipments of federal return
                                   information.
                                   There was not adequate protection for tax information. There was no agency requirement that
                                   containers be locked, and some containers cannot be locked.
                                   There was not a specific individual responsible for physical security.
Restricting/limiting access        Ground floor entrances were not locked during office hours, and there was a need for “Employee
                                   Only” signs.
                                   IRS tapes and income and eligibility verification system documents were transported via unsecured
                                   courier service.
                                   Tax information was combined with nontax information and accessible by other employees not
                                   directly involved in program.
                                   Several federal tax documents were found that were not labeled as such.
                                   Agency was sharing taxpayer information with other state agencies and contractors that are not
                                   authorized to receive information.
Disposal of taxpayer information   Agency was using an unauthorized method of destroying taxpayer information.
                                   Existing procedures for repairs to equipment do not appear to address removal of federal return
                                   information before repairs are made.
                                   Agency was not utilizing proper destruction procedures for taxpayer information that is no longer
                                   being used.
Computer security                  Computer systems containing tax information do not display warning banners reminding employees
                                   of safeguarding requirements and associated penalties.
                                   Agency was not promptly removing from the system employees that no longer needed access to
                                   taxpayer information.
                                   Taxpayer data was not transmitted through secure communication lines to prevent unauthorized
                                   use or access.
                                   Unsecured dial-in modems were being used for taxpayer information on agency systems, and
                                   information on the mainframe was not adequately restricted.
Other safeguards                   Employees were not properly trained on all aspects of safeguarding tax information. Some were not
                                   aware of the civil and criminal penalties associated with unauthorized disclosure or of the Taxpayer
                                   Browsing Act.
                                   Internal security inspections were not conducted, or the results were not documented. There was
                                   no documentation of corrective actions, if any were taken.
                                   The agency needs to post signs and send memos to remind employees of their responsibility to
                                   safeguard federal tax information.
                                              Source: IRS Office of Safeguards.




                                              Page 53                               GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix VIII

Staffing Levels for IRS’ Office of Safeguards


                Listed below are the staffing levels, as of June 1999, for IRS’ national and
                district offices that are responsible for IRS’ safeguarding program. In
                addition to overseeing the safeguarding program, the district offices have
                responsibilities for a variety of other disclosure activities. These activities
                include, among other things, conducting disclosure awareness seminars
                for state and local agency personnel, processing Freedom of Information
                Act and Privacy Act requests, processing ex parte orders for grand jury or
                federal criminal investigations, testifying in federal court to certify that
                certain documents are true copies of tax return information, and reviewing
                subpoenas served to IRS personnel to advise them of what they can and
                cannot disclose in court.

                                                                           Number of staff
                      Office                                        Professional Support      Total
                      National Office of Safeguards                           12                 12
                I     Midstates Region                                         3                  3
                1     Arkansas-Oklahoma District                               4        1         5
                                        a
                2     Houston District                                         5                  5
                3     Illinois District                                        9        2        11
                4     Kansas-Missouri District                                 7        1         8
                5     Midwest District                                        11        2        13
                6     North Central District                                   8                  8
                                           a
                7     North Texas District                                     6        1         7
                8     South Texas District                                     5        1         6
                        Regional subtotal                                     58        8        66
                II    Northeast Region                                         3                  3
                                         a
                9     Brooklyn District                                        4                  4
                10    Connecticut-Rhode Island District                        4                  4
                11    Manhattan District                                       3        1         4
                12    Michigan District                                        5                  5
                13    New England District                                     9                  9
                14    New Jersey District                                      4        1         5
                15    Ohio District                                            5                  5
                16    Pennsylvania District                                    6        1         7
                17    Upstate New York District                                4        1         5
                        Regional subtotal                                     47        4        51
                III   Southeast Region                                         4                  4
                18    Delaware-Maryland District                               7        1         8
                19    Georgia District                                         5        1         6
                20    Gulf Coast District                                      8        1         9
                21    Indiana District                                         4                  4
                22    Kentucky-Tennessee District                              6        1         7
                23    North Florida District                                   5                  5
                24    North-South Carolina District                            5        1         6
                                             a
                25    South Florida District                                   4        1         5
                26    Virginia-West Virginia District                          5                  5
                        Regional subtotal                                     53        6        59
                                                                                        (Continued)




                Page 54                              GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix VIII
Staffing Levels for IRS’ Office of Safeguards




                                                                Number of staff
      Office                                             Professional Support        Total
IV    Western Region                                                3                   3
27    Central California District                                   6        1          7
28    Los Angeles District                                          6        1          7
29    Northern California District                                 11        2         13
30    Pacific-Northwest District                                   10        1         11
31    Rocky Mountain District                                       9        1         10
32    Southern California District                                  8                   8
33    Southwest District                                            7                   7
       Regional subtotal                                           60        6         66
      Total                                                       230       24        254
a
Not responsible for any safeguard review activities.
Source: IRS’ Office of Safeguards.




Page 55                                   GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix IX

Questionnaires Used to Survey Federal, State,
and Local Agencies Receiving Taxpayer
Information
Figure IX.1: Survey of Federal Agencies Receiving Taxpayer Data




                                          Page 56                 GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix IX
Questionnaires Used to Survey Federal, State, and Local Agencies Receiving Taxpayer
Information




Page 57                              GAO-GGD-99-164 Safeguarding Taxpayer Information
                                          Appendix IX
                                          Questionnaires Used to Survey Federal, State, and Local Agencies Receiving Taxpayer
                                          Information




Figure IX.2: Survey of State and Local Agencies Receiving Taxpayer Data




                                          Page 58                              GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix IX
Questionnaires Used to Survey Federal, State, and Local Agencies Receiving Taxpayer
Information




Page 59                              GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix X

Comments From the Internal Revenue Service




              Page 60    GAO-GGD-99-164 Safeguarding Taxpayer Information
Appendix XI

GAO Contacts and Staff Acknowledgments


                  Cornelia Ashby, (202) 512-9110
GAO Contacts
                  Joseph Jozefczyk, (202) 512-9110

                  In addition to those named above, Michelle Bowsky, John Gates, Tim
Acknowledgments   Outlaw, Anne Rhodes-Kline, Kirsten Thomas, and Carrie Watkins made key
                  contributions to this report.




                  Page 61                          GAO-GGD-99-164 Safeguarding Taxpayer Information
Page 62   GAO-GGD-99-164 Safeguarding Taxpayer Information
Page 63   GAO-GGD-99-164 Safeguarding Taxpayer Information
Page 64   GAO-GGD-99-164 Safeguarding Taxpayer Information
Ordering Information

The first copy of each GAO report and testimony is free. Additional
copies are $2 each. Orders should be sent to the following address,
accompanied by a check or money order made out to the
Superintendent of Documents, when necessary. VISA and
MasterCard credit cards are accepted, also. Orders for 100 or more
copies to be mailed to a single address are discounted 25 percent.

Order by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
     th                  th
700 4 St. NW (corner of 4 and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000 or by using fax
number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and testimony.
To receive facsimile copies of the daily list or any list from the past
30 days, please call (202) 512-6000 using a touch-tone phone. A
recorded menu will provide information on how to obtain these
lists.

For information on how to access GAO reports on the INTERNET,
send e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested




(268874)