1 / 81

IRS Confidentiality

IRS Confidentiality. IV-D Confidentiality. IV-D confidentiality under 45 CFR 303.21. The IV-D program is required to maintain confidentiality over IV-D data. IV-D Confidentiality. 45CFR Sec.303.21 Safeguarding and disclosure of confidential information. (a) Definitions—

candice-chaney
Download Presentation

IRS Confidentiality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IRS Confidentiality

  2. IV-D Confidentiality • IV-D confidentiality under 45 CFR 303.21. • The IV-D program is required to maintain confidentiality over IV-D data.

  3. IV-D Confidentiality • 45CFR Sec.303.21 Safeguarding and disclosure of confidential information. (a) Definitions— • (1) Confidential information means any information relating to a specified individual or an individual who can be identified by reference to one or more factors specific to him or her, including but not limited to the individual's Social Security number, residential and mailing addresses, employment information, and financial information.

  4. IV-D Confidentiality • 45CFR Sec.303.21 Safeguarding and disclosure of confidential information. (a) Definitions— • (2) Independent verification is the process of acquiring and confirming confidential information through the use of a second source. The information from the second source, which verifies the information about NDNH or FCR data, may be released to those authorized to inspect and use the information as authorized under the regulations or the Act.

  5. IV-D Confidentiality • (b) Scope. The requirements of this section apply to the IV-D agency, any other State or local agency or official to whom the IV-D agency delegates any of the functions of the IV-D program, any official with whom a cooperative agreement as described in Sec. 302.34 of this part has been entered into, and any person or private agency from whom the IV-D agency has purchased services pursuant to Sec. 304.22 of this chapter.

  6. IV-D Confidentiality • (c) General rule. Except as authorized by the Act and implementing regulations, an entity described in paragraph (b) of this section may not disclose any confidential information, obtained in connection with the performance of IV-D functions, outside the administration of the IV- D program:

  7. IV-D Confidentiality • (d) Authorized disclosures. (1) Upon request, the IV-D agency may, to the extent that it does not interfere with the IV-D agency meeting its own obligations and subject to such requirements as the Office may prescribe, disclose confidential information to State agencies as necessary to carry out State agency functions under plans or programs under title IV (including tribal programs under title IV) and titles XIX, or XXI of the Act, including.

  8. (i) Any investigation, prosecution or criminal or civil proceeding conducted in connection with the administration of any such plan or program; and • (ii) Information on known or suspected instances of physical or mental injury, sexual abuse or exploitation, or negligent treatment or maltreatment of a child under circumstances which indicate that the child's health or welfare is threatened. • (2) Upon request, the IV-D agency may disclose information in the SDNH, pursuant to sections 453A and 1137 of [[Page 257]] the Act for purposes of income and eligibility verification.

  9. 3) Authorized disclosures under paragraph (d)(1) and (2) of this section shall not include confidential information from the National Directory of New Hires or the Federal Case Registry, unless authorized under Sec. 307.13 of this Chapter or unless it is independently verified information. • No financial institution data match information may be disclosed outside the administration of the IV-D program and no IRS information may be disclosed, unless independently verified or otherwise authorized in Federal statute. • States must have safeguards in place as specified in section 454A(d) and (f) of the Act. (Under the IRS rules you may not be able to disclose some data you otherwise might have been able to under this regulation.)

  10. IV-D Confidentiality • (e) Safeguards. In addition to, and not in lieu of, the safeguards described in Sec. 307.13 of this chapter, which governs computerized support enforcement systems, the IV-D agency shall establish appropriate safeguards to comply with the provisions of this section. • These safeguards shall also include prohibitions against the release of information when the State has reasonable evidence of domestic violence or child abuse against a party or a child and that the disclosure of such information could be harmful to the party or the child, as required by section 454(26) of the Act, and shall include use of the family violence indicator required under Sec. 307.11(f)(1)(x) of this chapter.

  11. IV-D Confidentiality • (f) Penalties for unauthorized disclosure. Any disclosure or use of confidential information in violation of the Act and implementing regulations shall be subject to any State and Federal statutes that impose legal sanctions for such disclosure.

  12. IV-D Confidentiality vs. IRS • Conclusion: the IRS does impose some additional requirements but in general if our security is designed to meet the IV-D requirements then we will have gone most of the way to meeting the IRS requirements.

  13. IRC • The Internal Revenue Code (IRC) Section 6103(l)(6) allows the Internal Revenue Service (IRS) to disclose federal return information (FTI) to federal, state, and local child support enforcement agencies (CSEA) for the purpose of, and to the extent necessary in, establishing and collecting child support obligations from, and locating, individuals owing such obligations.

  14. IRC • The information that can be provided under 6103(l)(6) is SSN, address, filing status, amounts and nature of income, and the number of dependents. • IRC 6103(l)(6)(B) authorizes further disclosure to any agent of such agency which is under contract with such agency (for the same purposes as identified above). The information that can be disclosed is limited to address, Social Security number, and the amount of any reduction under IRC Section 6402(c) (the tax offset amount).

  15. IRC • IRC Section 6103(l)(8) permits the commissioner of the SSA to disclose certain FTI, primarily wages and earnings from self-employment.

  16. IRC • IRC Section 6103(l)(10) authorizes disclosure of FTI to agencies requesting reduction under IRC Section 6402(c). • The FTI consists of: the taxpayer’s identity, and if a joint return was filed the identity of other person, the fact that a reduction has been made or has not been made, the amount of the reduction, whether a joint return was filed and the fact that a payment was made, and the amount of the payment to the spouse of the taxpayer who filed a joint return.

  17. IRC • In addition to the FTI connected with the tax offset (taxpayer identification, the offset amount, and the joint tax return indicator) under IRC Sect. 6103(l)(10) the MI IV-D program also may receive FTI through FPLS (via the Federal Case Registry (FCR), and that consists of the earned income of the taxpayer, however, at this point that information is not identified to us as FTI.

  18. Client Tax Information • Any information handed to you by the client is not FTI (it is subject to the IV-D and court confidentiality requirements, but it is not FTI and therefore these IRS regulations do not apply).

  19. Publication 1075

  20. Record Keeping Requirements Publication 1075, Sect 3. • All IV-D partners are required by IRC 6103(p)(4)(A) to establish a permanent system of standardized records of FTI requests made to the IRS and FTI received from the IRS. • This record keeping should include internal requests among agency employees as well as requests from outside of the agency. • The records are to be maintained for five years, or the applicable records control schedule must be followed, whichever is longer.

  21. OLD FTI • The FOC/PA do not currently make any direct requests for FTI to the IRS and do not currently receive any FTI from the IRS. This is all currently handled by MiCSES and therefore any recordkeeping related to this activity is handled by OCS/MiCSES. • However, the FOC used to request FTI and received FTI directly; the record keeping requirements apply to this FTI. (Lets call this Old FTI)

  22. Current FTI • The record keeping requirements also apply to any internal requests for FTI. • At the FOC/PA these “internal requests” would consist of screen prints of certain MiCSES screens and certain reports and any letters to a NCP (taxpayer) asking for their approval to apply any excess tax offset to other cases. (Lets call this Current FTI)

  23. Current FTI: MiCSES Holds/Reports/Screens with FTI Information Documents subject to the record keeping requirements: • SURE reports with suspense hold categories - COHO, COIH, CONE, CONX, CSTN, CSTX, SFEX, SFPD and SJTO • Reports - ACTS FOC detail, ACTS NCP detail, and CCRT • MiCSES screen prints - BATR, CBAT, MPOS, URCT, PBAT, RCTM, RHIS, ELOG • Any requests to taxpayers asking their approval to apply any excess tax offset to other cases

  24. Logs for Printed FTI You must have a listing of all documents and information received from the IRS and any internal requests must be logged. The log must include: • Taxpayer name • Tax year(s) • Type of information (e.g., revenue agent reports, Form 1040, work papers) • The reason for the request • Date requested • Date received • Exact location of the FTI • Who has had access to the data

  25. Current FTI Log • Case number. • What was printed. • The dates covered by the printout • Why it was printed. • Where it is at. • When it was destroyed. • How it was destroyed. • Who destroyed it.

  26. Record Keeping and the Old FTI • For the Old FTI (if there is any) there must be a log that identifies exactly what FTI you actually have. • If you had been keeping a log as required and it is up to date just continue on until all the Old FTI has been destroyed. • If you have not been keeping a log either: create one now by doing an inventory, then track where it is at all times until it is destroyed, who destroyed it and how it was destroyed or collect all of the Old FTI and destroy it now.

  27. Record Keeping and Current FTI • For the Current FTI (if there is any) there must be a log that identifies exactly what FTI you printed, when you printed it, where it is at all times until it is destroyed, who destroyed it and how it was destroyed. • As a practical matter the requirement to know where it is from the 1st day until the last day is one of the reasons not to include the printouts in case files. • An inventory is required to ensure that the all FTI contained on the log is located; FTI stored in one location is more easily inventoried than FTI in case files

  28. What does this mean on a day-to-day basis? • Have an office policy that nothing is printed unless it is absolutely necessary. • Describe what is necessary to print and when in the policy. • Structure printing so that it is done in an organized way that lends itself to creating the logs that the IRS requires.

  29. If you have any of the Old FTI that has not been destroyed it is subject to the SECURE STORAGE Requirements of IRC 6103(p)(4)(B).

  30. If you print anything (Current FTI), whatever has not been destroyed is subject to the SECURE STORAGE Requirements of IRC 6103(p)(4)(B).

  31. Secure Storage Publication 1075, Sect. 4.1 • Security may be provided for a document, an item, or an area in a number of ways. These include, but are not limited to, locked containers of various types, vaults, locked rooms, locked rooms that have reinforced perimeters, locked buildings, guards, electronic security systems, fences, identification systems, and control measures.

  32. Secure Storage: Minimum Protection Standards (MPS) Publication 1075, Sect. 4.2 Minimum Protection Standards (MPS) • The Minimum Protection Standards (MPS) establish a uniform method of protecting data and items that require safeguarding. • This system contains minimum standards that will be applied on a case-by-case basis. • The objective of these standards is to prevent unauthorized access to FTI. • MPS requires two barriers to access FTI under normal security

  33. There must betwo barriers to access FTI under normal security; for example: • Secured perimeter/locked container, • Locked perimeter/secured interior, or • Locked perimeter/security container (locked).

  34. MPS also apply to the FOC/PA computer screens that display MiCSES.

  35. “Locked” means an area or container that has a lock, and the keys or combinations are controlled.

  36. Secured areas means internal areas that have been designed to prevent undetected entry by unauthorized persons during duty and non-duty hours.

  37. What does this mean for an FOC or PA office? • Generally, access to FOC and PA office space is restricted (locked door, reception area, no access unless escorted).

  38. Clearly, employees cannot leave FTI out on their desk because the requirements for two barriers are not met.

  39. Therefore you just have to impose the second barrier such as placing the FTI into a locked container (for example, a locked file cabinet).

  40. If you store FTI in the case files, then the file room must be locked and the files labeled in order to meet the requirements. • However, what if the file room is not locked?

  41. Secure Storage An example included in Publication 1075: • Using a common situation as an example, often an agency desires or requires that security personnel or custodial service workers have access to locked buildings and rooms. • This may be permitted as long as there is a second barrier to prevent access to FTI. • A security guard may have access to a locked building or a locked room if FTI is in a locked container. • If FTI is in a locked room, but not in a locked container, the guard or janitor may have a key to the building but not the room.

  42. Secure Storage • Access to a locked area, room, or container can be controlled only if the key or combination is controlled. • Compromising a combination or losing a key negates the security provided by that lock. • Combinations to locks should be changed when an employee who knows the combination retires, terminates employment, transfers to another position, or at least once a year.

  43. Restricted Areas and Controlling Physical Access to FTI • A restricted area register will be maintained at a designated entrance to the restricted area. • The entry control monitor should verify the identity of visitors. • Each restricted area register will be closed out at the end of each month and reviewed by the area supervisor/manager.

  44. Restricted Areas and Controlling Physical Access to FTI Publication 1075, Sect. 4.3.2: • Each agency shall control physical access to the information system devices that display FTI information or where FTI is processed to prevent unauthorized individuals from observing the display output. (Exhibit 4, PE-5).

  45. Visitor Access Logs • A visitor access log shall be used to authenticate visitors before authorizing access to the facility where the information system resides and contains FTI. • This does not apply to areas designated as publicly accessible. (Exhibit 4, PE-7) Designated officials or designees within the organization review the visitor access records, at least annually. (Exhibit 4, PE-8)

  46. A visitor access log shall contain the following information: • Name and organization of the visitor; • Signature of the visitor; • Form of identification; • Date of access; • Time of entry and departure; • Purpose of visit; and • Name and organization of person visited.

  47. MPS also apply to the FOC/PA computer screens that display MiCSES.

  48. Workspaces: Home, Remote or Designated • Every care must be taken to ensure the confidentiality of FTI in these circumstances. • FTI may not be accessed from home workspaces. • All remote workspaces must be approved by MiCSES and OCS.

  49. Restricting Access • Agencies are required by IRC Section 6103(p)(4)(C) to restrict access to FTI only to persons whose duties or responsibilities require access.

  50. Restricting Access • FOCs/PAs authorize employees to access MiCSES through the procedures outlined in Action Transmittal (AT) 2008-043. FOCs/PAs must also follow AT 2009-019, which contains the requirements to monitor MiCSES users and delete access for any staff who no longer should have access to MiCSES.

More Related