4
Privacy

Protecting taxpayer privacy requires placing appropriate limitations on access to, and use and dissemination of, information about a taxpayer’s personal and financial circumstances. Privacy policy should include a clear determination of who ought to see what, do what, or disclose what, to whom and for what purpose. This is contrasted with security, which is concerned with ensuring that the intended limitations are effected. (Security is discussed in Chapter 5.) The importance of privacy to the Internal Revenue Service’s (IRS’s) modernization effort cannot be overstated. In fact, a previous IRS modernization attempt was thwarted, at least in part, because the IRS was considered not to have addressed privacy and related security issues adequately. Moreover, since privacy directly affects taxpayers, a perceived lack of privacy protection with regard to the IRS could cause a decrease in voluntary compliance by taxpayers.

Privacy protection is generally based on a combination of prevention and detection mechanisms. Prevention mechanisms, such as access control profiles, are used to stop a privacy violation before it can occur. Detection mechanisms, such as audit trail analysis, augment preventive measures, allowing managers to discover new problems or to provide a measure of assurance that the prevention mechanisms are working.

The IRS has described a number of prevention and detection measures to the committee, relying on its extensive history of tax processing. For the most part, the IRS has stated that existing privacy protection methods are being modernized in the new Tax Systems Modernization (TSM) systems and applications. For instance, employee work profiles have been used historically by the IRS to determine the type of mainframe access needed by a given individual to complete his or her job. As the Integrated Case Processing (ICP) project is developed, the number of profiles will be expanded and the access control measures that are based on them will be fine-tuned. If done properly, such an improvement will decrease significantly the risk of a privacy violation. Similarly, advanced audit analysis tools are planned to assist in the detection of access control problems.

Although such an approach will not help the IRS protect against new vulnerabilities caused by the new systems and applications, it does provide a solid basis for discussion and investigation. Throughout its deliberations, the committee has focused on those areas in which the IRS has no previous history. These areas represent the greatest risk to privacy in the future, and the IRS needs to work quickly to define that risk. The remainder of this chapter discusses the IRS privacy initiatives that should help to limit the risks; Chapter 5 discusses the security capabilities that are needed to implement the privacy principles and policies.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 53
Continued Review of the Tax Systems Modernization of the Internal Revenue Service: Final Report 4 Privacy Protecting taxpayer privacy requires placing appropriate limitations on access to, and use and dissemination of, information about a taxpayer’s personal and financial circumstances. Privacy policy should include a clear determination of who ought to see what, do what, or disclose what, to whom and for what purpose. This is contrasted with security, which is concerned with ensuring that the intended limitations are effected. (Security is discussed in Chapter 5.) The importance of privacy to the Internal Revenue Service’s (IRS’s) modernization effort cannot be overstated. In fact, a previous IRS modernization attempt was thwarted, at least in part, because the IRS was considered not to have addressed privacy and related security issues adequately. Moreover, since privacy directly affects taxpayers, a perceived lack of privacy protection with regard to the IRS could cause a decrease in voluntary compliance by taxpayers. Privacy protection is generally based on a combination of prevention and detection mechanisms. Prevention mechanisms, such as access control profiles, are used to stop a privacy violation before it can occur. Detection mechanisms, such as audit trail analysis, augment preventive measures, allowing managers to discover new problems or to provide a measure of assurance that the prevention mechanisms are working. The IRS has described a number of prevention and detection measures to the committee, relying on its extensive history of tax processing. For the most part, the IRS has stated that existing privacy protection methods are being modernized in the new Tax Systems Modernization (TSM) systems and applications. For instance, employee work profiles have been used historically by the IRS to determine the type of mainframe access needed by a given individual to complete his or her job. As the Integrated Case Processing (ICP) project is developed, the number of profiles will be expanded and the access control measures that are based on them will be fine-tuned. If done properly, such an improvement will decrease significantly the risk of a privacy violation. Similarly, advanced audit analysis tools are planned to assist in the detection of access control problems. Although such an approach will not help the IRS protect against new vulnerabilities caused by the new systems and applications, it does provide a solid basis for discussion and investigation. Throughout its deliberations, the committee has focused on those areas in which the IRS has no previous history. These areas represent the greatest risk to privacy in the future, and the IRS needs to work quickly to define that risk. The remainder of this chapter discusses the IRS privacy initiatives that should help to limit the risks; Chapter 5 discusses the security capabilities that are needed to implement the privacy principles and policies.

OCR for page 53
Continued Review of the Tax Systems Modernization of the Internal Revenue Service: Final Report THE PRIVACY ADVOCATE OFFICE At the time the committee’s interim report was prepared (October 1994), the privacy advocate had just been named and was in the process of leaving the Office of Management and Budget and joining the IRS. The committee indicated that the Privacy Advocate Office (PAO) would be crucial in developing appropriate agency policy and seeing to its implementation. The privacy advocate has now been in place for about 1 year and is a bright spot in the TSM effort. The PAO was created with a staff complement of 12, comprising 11 professionals (including the privacy advocate) and 1 secretary. Until approximately the end of April 1995, the office operated with a staff of 5 as the selection process continued; as of December 1995, it is fully staffed. In spite of operating at less than full strength during the committee’s review cycle, the office has functioned with commendable success in preparing a comprehensive and rational plan for introducing privacy constraints into the IRS information systems development plans and into the IRS’s process of information management policy formulation. The PAO is clearly a key to the IRS taking a leadership role in the protection of citizens’ privacy, and it is encouraging that so much progress has been made in a relatively short time. Despite its overall positive assessment of the PAO’s activities and mission, the committee has some concerns as to whether that office will have pervasive impacts in the highly decentralized IRS. If the office is little more than a “headquarters shop,” or if its guidance or other outputs are not acted upon, the privacy mission is in jeopardy. There appears to be appreciation by IRS senior management of the importance of the PAO’s role in guiding the IRS’s programs to protect the privacy of information. Continued commitment and support of management, both in Washington, D.C., and in the field, will be necessary for the PAO to accomplish its mission on behalf of the IRS and all taxpayers. VALUING PRIVACY It is extremely important for all IRS employees to understand the value of maintaining taxpayer privacy in order to allow the IRS to fulfill its modernization objectives. In fact, the federal Privacy Act of 19741 and specific statutes in the Internal Revenue Code require that all IRS employees safeguard the privacy of all citizens. However, such laws and policies will do little if the front-line workers do not take these principles to heart. To that end, the IRS has developed a very good training video regarding the importance of taxpayer privacy protection, and the Commissioner in frequent messages to IRS personnel has emphasized “zero tolerance” for improper access to taxpayer files. Additionally, informational privacy is often a topic in agency bulletins for management personnel. Continued training in and reinforcement of privacy values for all IRS staff are necessary to ensure that respect for the confidentiality of taxpayer information becomes part of every employee’s job consciousness. Monitoring employee access to taxpayer information is also necessary to deter and identify violations of access protocol. The agency is currently developing a program designed to identify browsing. Based on employee work profiles, the program would identify patterns suggesting improper file access. The program is currently in place at all service centers, and the IRS is encouraged to continue its efforts to develop improved scenarios to detect browsing. 1   5 U.S.C. Sec. 552a.

OCR for page 53
Continued Review of the Tax Systems Modernization of the Internal Revenue Service: Final Report This committee has suggested that the IRS establish an advisory group that includes privacy experts and taxpayers external to the agency who can provide feedback regarding the adequacy of privacy policy.2 At present, the Commissioner has an advisory group that includes a subcommittee on privacy. Although the Commissioner’s advisory group has a much broader scope than privacy, the IRS is evaluating whether that body can provide the kind of input that the committee has suggested. The committee reiterates the view that the IRS should be a leader among government agencies in respecting the privacy of citizens and in using the capabilities of information technology to accomplish that goal. INFORMATION MANAGEMENT PROTOCOLS Although the IRS has developed sound principles regarding the confidentiality of taxpayer data, those broad statements will be meaningful only if they are translated into job-specific prescriptions for employee performance. The PAO reports that it is in the process of developing such guidance for various job “clusters,” and it is urged to make that task a high priority. Additionally, the clusters should be as small as possible so that measures for information processing can be appropriately specific. DISCLOSURE OF TAXPAYER INFORMATION TO THIRD PARTIES The committee deplores the fact that the number of exceptions to section 6103 of the tax code has been expanded repeatedly by Congress, diminishing the confidentiality of taxpayer data. The committee has recommended that Congress and the IRS review section 6103 confidentiality exemptions and that further trends toward sharing IRS data with third parties be sharply limited.3 Although the details of such issues are outside the scope of this report, it is important to note that all data-sharing issues directly affect TSM requirements, and if specific restrictions are needed, it is best to determine them early in the process and build the restrictions into TSM systems and applications. Otherwise, the IRS runs the risk of exposing too much data to too many organizations in the long run. About a year ago the IRS did establish a task force, on which congressional staff members serve, for the purpose of reviewing and recommending third-party disclosure 2   Computer Science and Telecommunications Board, National Research Council. 1992. Review of the Tax Systems Modernization of the Internal Revenue Service. National Academy Press, Washington, D.C., p. 25. Computer Science and Telecommunications Board, National Research Council. 1993. “Letter Report to Commissioner Margaret Milner Richardson,” Computer Science and Telecommunications Board, Washington, D.C., July 30, p. 8. Computer Science and Telecommunications Board, National Research Council. 1994. Review of the Tax Systems Modernization of the Internal Revenue Service. Computer Science and Telecommunications Board, Washington, D.C., p. 12. 3   Computer Science and Telecommunications Board, National Research Council. 1992. Review of the Tax Systems Modernization of the Internal Revenue Service. National Academy Press, Washington, D.C., p. 28. Computer Science and Telecommunications Board, National Research Council. 1994. Continued Review of the Tax Systems Modernization of the Internal Revenue Service: Interim Report. Computer Science and Telecommunications Board, Washington, D.C., pp. 12–13.

OCR for page 53
Continued Review of the Tax Systems Modernization of the Internal Revenue Service: Final Report policies. That action by the IRS is certainly consistent with the committee’s preliminary recommendations; it will require the consent of Congress to implement any reforms in third-party disclosure practices, however. A draft report from that task force is currently being circulated for comment. This committee has not seen the draft. USE OF DATA FROM THIRD PARTIES The use by the IRS of third-party data calls for an examination of the procedures governing the access, use, and storage of such information. The accuracy of third-party data is subject to question, and it may be difficult for the IRS to confirm the accuracy of data prepared by others. Moreover, because of the potential for abuse, there is a general privacy concern about any government agency developing a comprehensive dossier on individuals. The PAO is mindful of this problem and is currently developing a policy governing the collection, use, storage, and dissemination of data from third parties; it expects to complete the task by the end of 1995. Third-party data must be screened and used with care and should be stored only as long as necessary for tax administration purposes. Here again, the high-level policies and procedures developed by the IRS in this area have a direct impact on the operational requirements for TSM systems and applications. For example, if it is determined that a specific set of third-party data can be used for only a given period of time, then it may be necessary to develop database applications that automatically delete the data after a given expiration date. Incorporating such support during the early TSM development stages will reduce overall development and operating costs. PRIVACY AND SECURITY LINKAGE Privacy cannot be ensured without adequate system security. The serious problems discussed in Chapter 5 must be addressed for the IRS to meet its privacy objectives. In its interim report,4 the committee recommended that privacy policy be reflected in TSM system security design and that metrics be developed to measure whether the information processing program adequately meets confidentiality constraints. The IRS has contracted with outside consultants to assist in the development of metrics and the evaluation of the adequacy of protection measures that support the privacy requirement. The PAO has developed and is circulating within the IRS a privacy program plan that would provide an opportunity for the review of TSM security system architecture before it has been implemented. The general privacy plan is sound and, if implemented, should provide adequate input by the privacy advocate into the policy-to-requirements-to-architecture process. However, the committee is painfully aware that TSM projects continue to be designed with no detailed security specifications, much less privacy guidance. 4   Computer Science and Telecommunications Board, National Research Council. 1994. Continued Review of the Tax Systems Modernization of the Internal Revenue Service: Interim Report. Computer Science and Telecommunications Board, Washington, D.C.

OCR for page 53
Continued Review of the Tax Systems Modernization of the Internal Revenue Service: Final Report To ensure implementation and ongoing evaluation of the process the committee recommends that the IRS (1) define privacy threats; (2) develop means of assessing the current level of security violation; (3) use those same measures, over time, to determine whether violations have increased or decreased; and (4) ensure that every project implements all privacy requirements satisfactorily before the project is allowed to achieve an operational state.