TREASURY
INSPECTOR GENERAL FOR TAX ADMINISTRATION
The Monitoring of Privacy Over Taxpayer Data Is Improving, Although Enhancements Can Be Made to Ensure Compliance With Privacy Requirements
September 22, 2006
Reference Number: 2006-20-166
This
report has cleared the Treasury Inspector General for Tax Administration
disclosure review process and information determined to be restricted from
public release has been redacted from this document.
Phone Number |
202-927-7037
Email Address | Bonnie.Heald@tigta.treas.gov
Web Site |
http://www.tigta.gov
September 22, 2006
MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – The Monitoring of Privacy Over Taxpayer Data Is Improving, Although Enhancements Can Be Made to Ensure Compliance With Privacy Requirements (Audit # 200620002)
This report presents the results of our review to determine whether the Office of Privacy and
Information Protection has effective controls and procedures to ensure Internal
Revenue Service (IRS) computer systems and employees adhere to privacy
regulations. This review was included in the Treasury
Inspector General for Tax Administration’s Fiscal Year 2006 Annual Audit Plan
and was part of the Information Systems Programs statutory requirements to
annually review the adequacy and security of IRS technology.[1]
Impact on the Taxpayer
The IRS processes
and maintains sensitive taxpayer information in computer systems for over 130
million taxpayers. Privacy Impact Assessments
(PIA)[2] have not been conducted for all computer
systems, and compliance with privacy laws has not been adequately monitored. As a result, the risk is increased that taxpayers’
identities could be stolen and used for unlawful purposes.
Synopsis
The issue of privacy and security over personal information
has received much publicity. For
example, the Department of Veterans Affairs[3] recently reported that personally identifying data for as many as
26 million American veterans were stolen from an employee’s home. This incident received significant
attention because the loss of personally identifying data can represent the
first step to identity theft. In 2004, the
IRS received more than 130 million individual taxpayers’ income tax
returns. The personal information contained
in these returns is converted into electronic format and used in over 240 IRS computer
systems.
The IRS is not complying with privacy legislation. As a result, the IRS does not have assurance that privacy implications have been considered and evaluated on all of its computer systems.
Within the past 2 years, the Office of Privacy and Information Protection[4] has maintained and enhanced the IRS’ privacy program by chairing a working group reviewing privacy and disclosure issues and by creating an online privacy training segment on the Office of Privacy and Information Protection web site. Despite these efforts, the IRS is not complying with legislative privacy requirements. Specifically, the IRS can take further actions to ensure PIAs have been conducted for all systems and applications that collect personal information and enhance its processes to better monitor compliance with privacy policy and procedures.
The E-Government Act of 2002[5] and IRS guidelines require every computer system or project that collects personal information to have a current PIA on file with the Office of Privacy and Information Protection. As of August 2005, we were unable to locate PIAs for 130 (54 percent) of the 241 IRS computers systems that collect and process taxpayer or employee data. We attribute the missing PIAs to the lack of emphasis on privacy issues and the decision to not require that all systems be certified and accredited.[6]
Also,
the PIA review process was not always
consistently conducted, and review results were not always properly
documented. At the time the Office of
Privacy and Information Protection completed the PIAs, there were no PIA review
procedures and no core list of source information to verify system facts and
information. As a result, PIA reviews
were not consistently performed. The
analysts did not properly document actions pending or taken in a history log
and can review the answers provided in the PIA only for consistency.
In addition, the Office of Privacy and Information Protection did not conduct any compliance reviews on existing PIAs. IRS procedures provide for compliance reviews as a means to validate that information submitted in the PIA truly represents the data being collected in the computer system or project. These compliance reviews can provide opportunities to update and verify information stated in the PIAs and ensure business units are complying with privacy policies and procedures.
By
addressing these areas, the Office of Privacy and Information Protection would
better fulfill its responsibility to create and maintain privacy awareness and
monitor all uses of taxpayer data by IRS employees. This will provide the first steps to ensure
the security and protection over taxpayer data throughout the agency.
Recommendations
We recommended the Chief, Mission Assurance and Security
Services, request business owners to identify and report all systems or
projects that collect personal identifiable information. A PIA should be prepared and submitted to the
Office of Privacy and Information Protection for monitoring, oversight, and
evaluation. The Director, Office of Privacy and Information Protection, should
establish a centralized repository for all PIAs in a searchable, electronic
format and verify the accuracy of the PIA inventory quarterly; initiate a
program providing for the routine evaluation of employee training activities
relative to current privacy policy requirements and develop a system for the
tracking and monitoring of these activities; and reinforce the importance of PIA case documentation with
specific instructions and implement a compliance review process to assess
whether IRS business units are adhering to privacy regulations.
Response
The Chief, Mission Assurance and Security Services, agreed with our findings and recommendations. The Office of Privacy and Information Protection will annually cross-walk (reconcile) the PIA inventory to existing system inventories and provide information to business owners for systems requiring PIAs. The Office of Privacy and Information Protection will also develop and implement a process to verify the PIA inventory accuracy quarterly and is developing an electronic PIA inventory and an electronic document management system for archiving electronic PIA artifacts. In addition, the Office of Privacy and Information Protection is establishing privacy awareness training via the mandatory IRS Information Protection training and will initiate a job-specific training program for privacy. Training will be deployed via the IRS Enterprise Learning Management System to ensure accurate monitoring and tracking. Finally, the Office of Privacy and Information Protection will establish assessment standards for PIAs to ensure consistency and extent of coverage based on system complexity, along with case documentation and analysis requirements. Management’s complete response to the draft report is included as Appendix IV.
Copies of this
report are also being sent to the IRS managers affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions or
Margaret E. Begg, Assistant
Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
Monitoring of Privacy
Compliance Can Be Enhanced
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Management’s Response to the Draft Report
Abbreviations
|
FISMA |
Federal Information Security Management Act |
|
IRS |
Internal Revenue Service |
|
PIA |
Privacy Impact Assessment |
Within the Federal Government, privacy can be defined as a citizen’s expectation that personal information collected for official Government business will be protected from unauthorized use and access. The issue of privacy and security over personal information has received much publicity since 2005. For example, in February 2005, the Bank of America reported the loss of data tapes that contained personal information on 1.2 million Federal Government employees. More recently, in May 2006, the Department of Veterans Affairs[7] reported that personally identifying data for as many as 26 million American veterans were stolen from an employee’s home. These incidents received significant attention because the loss of personally identifying data can represent the first step to identity theft, which occurs when someone uses personal information, without permission, to commit fraud or other crimes, such as opening fraudulent credit card accounts and purchasing goods.
The
Federal Trade Commission[8]
has reported increased filings of identity theft complaints, and the Privacy Rights Clearinghouse[9] estimates that, during 2005, over
50 million people had been put at risk as a result of security breaches. The average
identity theft victim spends 175 hours and $800 resolving identity theft-related
issues, and it takes 2 years to 4 years for victims to resolve all the
resulting problems.
The mission of the IRS Office of Privacy and Information Protection is to ensure IRS policies and programs incorporate taxpayer and employee privacy requirements, and the personal information entrusted to the IRS remains protected, secure, and private.
Like the private sector, the Federal Government collects enormous amounts of personal information from private citizens. For example, in 2004 the Internal Revenue Service (IRS) received more than 130 million individual taxpayers’ income tax returns. Each of these tax returns includes the filer’s name, address, Social Security Number, and other personal financial data. This personal information is converted into electronic format and used in over 240 IRS computer systems, such as the Integrated Data Retrieval System.[10]
From a legislative perspective, the issue of privacy is governed by several laws. The Privacy Act of 1974[11] placed limitations on Federal Government agencies’ collection, disclosure, and use of personal information maintained in computer systems. More recently, the E-Government Act of 2002[12] provided additional protection for personal information by requiring agencies to conduct Privacy Impact Assessments (PIA). A PIA is required for every computer system or project that collects personal information and must be maintained by the bureaus and agencies. A PIA represents an analysis of how personal information is handled to ensure it conforms to applicable legal and regulatory requirements over privacy; determines the risks and effects of collecting, maintaining, and disseminating information in identifiable form; and examines and evaluates protections and alternative processes for handling information to reduce potential privacy risks. Systems must be reevaluated every 3 years or when major system modifications[13] occur.
In addition, the Consolidated Appropriations Act of 2005, Section 522,[14] required each agency to have a Chief Privacy Officer to assume the responsibility for privacy and data protection policy. These legislative requirements provide the need for a strong privacy program within Federal Government bureaus and agencies.
The administration
of the IRS privacy program is the responsibility of the Director, Office of
Privacy and Information Protection, who reports directly to the Chief, Mission
Assurance and Security Services. The
mission of the Office of Privacy and Information Protection is to ensure IRS
policies and programs incorporate taxpayer and employee privacy requirements
and the personal information entrusted to the IRS remains protected, secure,
and private.
This review was
performed at the IRS National Headquarters in Washington, D.C., in the Office
of Privacy and Information Protection during the period September 2005 through March
2006. The audit was conducted in
accordance with Government Auditing
Standards. Detailed information on our
audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed
in Appendix II.
Because of the large amount of personal information it
receives and concern over privacy implications of maintaining that information,
the IRS established the Privacy Advocate position in 1993, becoming the first
Federal Government agency to assign privacy to an executive official. Within the past 2 years, the Office of Privacy and Information
Protection has maintained and enhanced the IRS’ privacy program by:
The IRS can take further actions to ensure PIAs have been conducted for all systems that collect personal information and enhance its processes to better monitor compliance with privacy policy procedures.
Despite the Office of Privacy and Information Protection’s efforts to increase privacy awareness and manage its program, the IRS is not complying with legislative privacy requirements and, thus, is not ensuring the privacy of taxpayer data is being tracked and monitored adequately. Specifically, the IRS can take further actions to ensure PIAs have been conducted for all systems and applications that collect personal information and enhance its processes to better monitor compliance with privacy policy and procedures. These improvements will allow the IRS to better identify and monitor all uses of taxpayer data and will provide the first steps to ensure the security and protection over taxpayer data throughout the agency.
Computer systems that collect personal information did not have PIAs
The E-Government Act of 2002 and IRS guidelines require every computer system or project that collects personal information to have a current PIA on file with the Office of Privacy and Information Protection. The existence of the PIA provides reasonable assurance that privacy implications have been considered and evaluated in the collection of the data. Systems must be reevaluated every 3 years.
As of August 2005, the IRS maintained 281 computer systems to assist in tax administration. Of these, 241 collected and processed personal information, consisting of either taxpayer or employee data. Based on privacy requirements, each of these 241 systems should have a PIA completed by system owners and maintained by the Office of Privacy and Information Protection. However, we were unable to locate PIAs for 130 (54 percent) of the 241 computer systems.
The IRS classifies its computer systems into three categories: general support systems, major applications, and nonmajor applications.[17] Table 1 presents the number of computer systems in each classification that did not have a PIA.
Table 1: Number of Computer Systems Without PIAs
That Collect Taxpayer or Employee Data
|
System Classification |
Total Number of Computer Systems |
Number of Computer Systems That Process or Collect
Personally Identifiable Data |
Number of Computer Systems Without a Required PIA
Statement |
|
General Support Systems |
29 |
29 |
21 (72%) |
|
Major Applications |
53 |
53 |
5 (9%) |
|
Nonmajor Applications |
199 |
159 |
104 (65%) |
|
Totals |
281 |
241 |
130 (54%) |
Source: The Office of Privacy and Information Protection’s inventory lists and our report entitled Treasury Inspector General for Tax Administration - Federal Information Security Management Act Report for Fiscal Year 2005 (Reference Number 2006-20-071, dated October 2005).
We attribute the missing PIAs to the lack of emphasis on privacy issues and the decision to not require that all systems be certified and accredited,[18] which included the submission of PIAs as part of the certification process.
The Office of Privacy and Information Protection, as part of its own poststudy review of the Federal Information Security Management Act (FISMA)[21] reporting process, found that “mapping the Office of Privacy and Information Protection inventory to the Fiscal Year 2005 FISMA inventory was difficult due to the inability to clearly identify the subcomponents of the general support systems and major applications.” The Office of Privacy and Information Protection has acknowledged the lack of PIAs as a weakness and has taken proactive steps to increase privacy awareness, such as conducting awareness presentations to IRS business unit executives and in the IRS’ annual Security Awareness week in the National Headquarters Office on the risks and requirements of privacy for computer systems maintaining personal identifiable information.
We believe it is critical that the IRS complete PIAs for all computer systems or projects in which personal information is collected, processed, used, and/or stored. When PIAs are not prepared and properly maintained, the IRS is unaware of all instances in which the collection of data is occurring, and the IRS could be violating privacy regulations and unnecessarily exposing sensitive data to theft or misuse. As such, public trust could be lost when privacy risks are not identified and privacy protections are not adhered to.
An effective management information system to track PIAs does not
exist
The Office of Privacy and Information Protection recognizes that sound business practice requires a functional and useful centralized management information system to track and monitor its PIAs. The Office of Privacy and Information Protection is currently using a system developed by the Office of Disclosure.[22] This system contains pre-set data fields and cannot be customized to add more useful information, so it is mainly used to assign and generate PIA control numbers. Because of this limitation, the Office of Privacy and Information Protection created two additional inventory systems to capture specific information for different uses. One system is used to calculate the number of days the PIA is open and when a recertification is due, and the second system is a working file for the analysts. Inefficiencies exist when the staff need to query two inventory lists to obtain basic information, such as the system name and associated PIA control number. Also, maintaining multiple inventory lists creates data inaccuracies, such as determining when a recertification of a system’s PIA is due. For example, we identified the following discrepancies among the several PIA lists:
The Office of Privacy and
Information Protection has also identified its management information system as
a weakness in its poststudy review of the FISMA reporting process. As a result, the Office
of Privacy and Information Protection is developing an electronic, menu-driven,
and more user-friendly version of the PIA and has plans to incorporate and
implement the new PIA in a new management information system scheduled to be
completed by the end of Fiscal Year 2006.
Recommendations
Recommendation 1: The Chief, Mission Assurance and Security Services, should request IRS business owners to identify and report all systems or projects that collect personal identifiable information. A PIA should be prepared and submitted to the Office of Privacy and Information Protection for monitoring, oversight, and evaluation.
Management’s Response: IRS management agreed with this recommendation. The Office of Privacy and Information Protection will annually cross-walk (reconcile) the PIA inventory to existing system inventories and provide information to business owners for systems requiring PIAs. The Office of Privacy and Information Protection will also conduct a study to identify PIA process improvements to ensure limited resources are focused on systems that collect personal identifiable information and will establish policy, based on the study, for systems that require a PIA.
Recommendation 2:
The Director, Office of Privacy
and Information Protection, should establish a centralized repository for all PIAs
in a searchable, electronic format. The process
should be developed to verify the accuracy of the PIA inventory quarterly. The Office of Privacy and Information
Protection should also develop an electronic document management system for
archiving electronic PIA artifacts.
Management’s Response: IRS management agreed with this recommendation. The Office of Privacy and Information Protection will develop and implement a process to verify the PIA inventory accuracy quarterly. The Office of Privacy and Information Protection is also developing an electronic PIA inventory and an electronic document management system for archiving electronic PIA artifacts.
Monitoring of Privacy Compliance Can Be Enhanced
The Office of
Privacy and Information Protection’s role in the organization is to ensure the
IRS is complying with privacy requirements.
The E-Government Act established that the primary control over privacy
compliance for the Federal Government is the use of PIAs. While the main goal should be to have
complete and accurate PIAs for all instances in which the IRS is collecting and
using sensitive data (i.e., taxpayer or employee data), equally important are
the processes to ensure PIAs are being properly and accurately completed. Compliance with privacy requirements can be
segmented into three key activities:
1. Providing
awareness training to IRS employees on the privacy of taxpayer data
requirements and on the completion of PIAs for all instances in which sensitive
data are being collected.
2. Conducting
initial reviews of submitted PIAs for completeness, accuracy, and consistency
with IRS requirements.
3. Conducting
compliance reviews of existing PIAs to validate adherences to information
submitted in the PIAs.
We assessed
the Office of Privacy and Information Protection’s efforts in these three areas
and determined it did not have a formal privacy training program, initial
reviews of PIAs could be enhanced and better documented, and compliance reviews
of PIAs were not conducted. By
addressing these areas, the Office of Privacy and Information Protection would
better fulfill its responsibility to create and maintain privacy awareness
among IRS employees and monitor compliance with privacy requirements for the
IRS as a whole.
The Office of Privacy and Information
Protection does not have a formal training program
In an effort to help identify systems collecting personal information and increase awareness and compliance with privacy requirements, the Office of Privacy and Information Protection conducts ad hoc training and awareness presentations whenever the opportunity arises. For example, the Director, Office of Privacy and Information Protection, and senior staff are members of task forces, committees, and professional organizations and have provided privacy expertise and privacy-related presentations at various meetings. This includes proactively giving awareness presentations to IRS business unit executives on the risks and requirements of privacy for computer systems maintaining personal identifiable information and collaborating with other IRS business units and the Department of the Treasury on proposed revisions to tax laws and implementation of a Department-wide PIA initiative. The Office of Privacy and Information Protection also developed an online, self-study privacy awareness segment that is available to all IRS employees. However, the Office of Privacy and Information Protection does not have a regular awareness training schedule or specific role-based privacy training, nor does it mandate the completion of its online, self-study privacy awareness training by all employees.
In addition, the Office of Privacy and Information Protection does not have a formal management information system to track training delivered to IRS employees. The Office of Privacy and Information Protection was unable to provide such basic information as the number of IRS employees and contractors who attended privacy-related training courses and awareness presentations, training costs expended, or staff days applied toward training. Due to our review, the Office of Privacy and Information Protection recently requested IRS employees who have completed the online, self-study privacy awareness training on the Office of Privacy and Information Protection’s web site to send copies of their certificates of completion for tracking and documentation purposes. The Office of Privacy and Information Protection stated that, due to limited resources and staffing, a management information system to track privacy will be a long-range goal. The Director, Office of Privacy and Information Protection, is also working to develop a computer-based module to be included as part of the mandatory computer security and Unauthorized Access training.