IRS Supplements Advice on Internet Portal Use for FOIA Requests

UIL: 0552.00-00

Date: July 30, 2021

CC:PA:07:CValvardi - DISA-114847-21

to:
Phyllis Grimes, Director, Governmental Liaison, Disclosure and Safeguards
(Privacy, Governmental Liaison, and Disclosure)

from:
Melissa Avrutine, STR
(Procedure & Administration)

subject:
Return Information in FOIA Requests Submitted Using an Internet Portal

ISSUES

In a memorandum dated June 6, 2017 (attached for reference), we provided preliminary guidance concerning the use of an internet portal to allow FOIA customers the ability to submit and track requests, and to receive responsive information, as mandated by the FOIA Improvement Act of 2016, Pub. L. No. 114-185 (“FOIA Improvement Act”). You previously asked us to address the following issues: (1) confidential tax information, which is included in many requests received, (2) establishing the right to access by third parties, and (3) authentication requirements. This memo supplements our earlier tentative guidance now that specific tools have been identified for use in complying with OMB's mandate to allow the public to submit FOIA requests through an internet portal pursuant to the FOIA Improvement Act. Specifically, you have identified those tools as the FOIA.gov internet site managed by the Department of Justice Office of Information Policy (“OIP”), which will be used as the central government-wide site for submitting FOIA requests (or referring requesters to individual agency request sites); and the FOIAXpress Public Access Link (“PAL”), which will be used by the IRS for direct intake of electronic FOIA requests.

This memorandum adopts and incorporates our previous preliminary guidance in its entirety and applies that guidance to the specific facts summarized in the Background section below.

BASIC PRINCIPLES

BACKGROUND

We understand that PGLD's Office of Governmental Liaison, Disclosure, and Safeguards (“GLDS”) has procured licenses for the FOIAXpress electronic case management and processing system, and the system has been fully implemented as the replacement for the now-retired AFOIA system. FOIAXpress is a software-as-a-service system licensed and serviced under contract by the AINS corporation. It involves a web-based user interface for case management, cloud-based data storage, and an internet interface called the Public Access link (“PAL”). The AINS corporation maintains the file servers used for receiving and sending files associated with FOIA requests and responses through the PAL.

Treasury regulations require that any person, or agent or subcontractor of that person, who receives returns or return information in connection with a contract for tax administration services under 6103(n) (“6103(n) contract”) shall provide written notice to employees that returns or return information may be used only as authorized by the 6103(n) contract, and that employees are subject to specified civil and criminal penalties pursuant to sections 7431, 7213, and 7213A for unauthorized inspection or disclosure. Treas. Reg. § 301.6103(n)-1(d). These regulations further require a contractor (including its agent or subcontractor) under a 6103(n) contract to permit inspection of its facilities by the IRS, and to comply with prescribed requirements for protecting confidential returns and return information from unauthorized inspection or disclosure. Treas. Reg. § 301.6103(n)-1(e).

The IRS has contracted with Chenega Applied Solutions, LLC (“CAS, LLC”) to provide, among other things, the licensing of FOIAXpress to GLDS and the operation of the PAL by subcontractor AINS. The CAS, LLC contract includes the following standard clauses requiring the safeguarding of protected tax returns and return information:

• IR1052.224-9008 — SAFEGUARDS AGAINST UNAUTHORIZED DISCLOSURE OF SENSITIVE BUT UNCLASSIFIED INFORMATION (NOV 2015)

• IR1052.224-9000 — DISCLOSURE OF INFORMATION — AFEGUARDS

• IR1052.224-9001 — DISCLOSURE OF INFORMATION — CRIMINAL/CIVIL SANCTIONS.

These clauses include statements that penalties for unauthorized disclosure and access of returns and return information are found in I.R.C. sections 7213, 7213A and 7431; and, that any person, officer, employee, agent, or subcontractor to whom the contractor re-discloses returns or return information shall comply with IRS conditions and requirements for protection against unauthorized disclosure and inspection, pursuant to Treas. Reg. § 301.6103(n)-1(e)(3). The Performance Work Statement (“PWS”) for the CAS, LLC contract states that the contractor shall comply with specified OMB, Treasury, and IRS information security directives; the Taxpayer Browsing Protection Act of 1997-Unauthorized Access (UNAX); and specified OMB, Treasury, and IRS policies, procedures, and guidance to protect sensitive information, including taxpayer information. The PWS also states that the contractor shall be subject to periodic (no less than annual) testing and evaluation of information security controls and techniques at the option and discretion of the IRS.

We understand that the PAL, once activated, can be used by requesters to submit FOIA requests directly to the Office of Disclosure, and will eventually be available to be used by Disclosure caseworkers to deliver copies of responsive records to requesters. Currently, when a FOIA request is submitted to the IRS using FOIA.gov, an email with the request details is automatically generated and sent to an IRS email inbox, and a new FOIA case is subsequently forwarded to Disclosure for processing. This will no longer occur upon full implementation of the PAL, and instead an application programming interface (“API”) will allow requests submitted on FOIA.gov to be transmitted directly to the PAL file server. Alternatively, a link located on FOIA.gov will bring requesters to the PAL internet site to submit their requests directly via the PAL user interface.

Eventually, when the full capability of FOIAXpress is implemented, records responsive to FOIA requests submitted through the PAL may be transmitted electronically to those requesters through the PAL. These requesters will need to authenticate their identity to access a requester-specific PAL portal where they can access messages and download documents specific to their FOIA request(s). Emails will be sent to requesters prompting them to access the PAL to retrieve case-related messages or documents.

These emails will necessarily contain the requester's email address, and may contain the requester's name and the relevant FOIA case number, but will not contain any other information specific to the request or its subject matter. Requesters who mail or fax their requests to the IRS will continue to receive records in the same manner they do now. FOIA.gov will not be involved in the responsive record delivery process.

ANALYSIS

FOIAXpress Public Access Link (“PAL”)

FOIA requests submitted to the PAL will be transmitted using a file server maintained by AINS, under subcontract with the Service's contracted service provider CAS, LLC. The information in the requests will be immediately accessible by IRS personnel. Therefore, any information transmitted via the PAL which fits the definition of “return” or “return information” provided in section 6103(b), should be presumed to be subject to section 6103's confidentiality requirements. As noted in our June 2017 memo, section 6103 provides no specific exception allowing disclosure of return information received by the Service as part of a FOIA request. Therefore, we advise that all FOIA requests submitted to the Service via the PAL should be handled and processed under the presumption that these requests contain information protected by section 6103.

Any information returned to a requester via the PAL file servers maintained by AINS are disclosed by the IRS to the contractor pursuant to section 6103(n). As such, contractor CAS, LLC and subcontractor AINS must be required to implement safeguards typically mandated for the protection of returns and return information from unauthorized disclosure. Our review of the statement of work and aforementioned clauses contained in the Service's contract with CAS, LLC indicates that the contractor and any subcontractors are obligated to implement sufficient safeguards and would be liable under sections 7213, 7213A and 7431 for a failure to do so.

Because FOIAXpress will be operated and overseen by GLDS personnel subject to IRS conditions and requirements for the protection of confidential 6103 information, and because disclosure to the contractors who maintain the internet-accessible PAL site and file server are subject to the appropriate requirements for the protection of sensitive information pursuant to section 6103(n), we do not foresee that submitting FOIA requests through the PAL will pose a likely risk of exposure to legal liability for unauthorized disclosure of returns or return information that might be included in a FOIA case.

FOIA.gov

Information submitted by a requester using FOIA.gov would not likely be considered return information, per se, upon submission. As such, further disclosure of such information would not be prohibited by section 6103 (and would not expose the government to liability under sections 7213, 7213A and 7431) until the subsequent transmission of that information was received by the Service. Only returns or return information contained in the copies of FOIA requests transmitted via email by FOIA.gov and received by an IRS email account would be protected by section 6103 because, by definition, information must be received by the Service in order to become a return or return information. See I.R.C. § 6103(b)(2).

Using FOIA.gov as a portal for receiving requests does not present significant exposure to legal liability under the I.R.C. for disclosure of returns or return information protected by section 6103. However, we believe the Service's general obligation to protect return information entails advising any agency maintaining a FOIA portal to provide the utmost security for any information submitted, and to ensure that information in FOIA requests clearly directed to the Service be provided special protection from unnecessary disclosure between receipt at the FOIA.gov portal and transmission to the Service's email servers or PAL.

Disclosure of FOIA Case Tracking Information, Responses, and Responsive Records Through the PAL

Because the PAL is maintained by an IRS contractor obligated to implement safeguards pursuant to a 6103(n) contract, the transmission of response messages, tracking information, and responsive records via the PAL is not likely to expose the IRS to liability for unauthorized disclosure. The Service's current standards and procedures for electronically providing returns and return information should be applied to delivery of information and records to FOIA requesters using the PAL internet interface.

Notification messages sent to requesters via email would entail the use of third-party email servers. Therefore, return information should not be included in the email messages notifying requesters to check the PAL for the status of their request. Use of a requester's name and email address in a notification email is authorized, presuming that the email message does not in any way indicate that the email address or the person named in the email is associated with any IRS activity aside from a FOIA request.¹

The IRS is not authorized to disclose returns or return information to OPM solely for FOIA purposes. Therefore, we advise that responsive records or other information pertaining to an IRS FOIA request should not be transmitted to requesters through FOIA.gov.

Authentication Requirements and Establishing the Right to Access by Third Parties

As stated in our previous June 2017 memo, the Service's current standards and procedures for verifying the authenticity and access rights of a requester who submits a FOIA request by mail may generally be applied to requests submitted using either the FOIAXpress PAL or FOIA.gov.

CONCLUSIONS

Because information submitted directly to the Service as part of a FOIA request could be deemed “return information” whose confidentiality is assured by § 6103, FOIA requests submitted through the FOIAXpress Public Access Link should be subject to the same protections against unauthorized disclosure as the Service's other internet-based applications. Current IRS procedures for handling 6103 information, and safeguards imposed on the contracted service providers, should provide adequate protection against legal liability for unauthorized disclosure. Information in a request submitted through FOIA.gov will not likely enjoy the specific protection afforded by § 6103 until the IRS receives a copy of the request via email, or until the request is transmitted to the PAL file server operated by the Service's contracted service provider.

This writing may contain privileged information. Any unauthorized disclosure of this writing may undermine our ability to protect the privileged information. If disclosure is determined to be necessary, please contact this office for our views.

Please call Christopher Valvardi at 202-317-5231 if you have any further questions.

Attachment: IRS Office of Chief Counsel Memorandum, “Return Information in FOIA Requests Submitted Using an Internet Portal” (June 06, 2017)

---

Date: June 6, 2017

to:
Edward Killen, Director
(Privacy, Governmental Liaison, and Disclosure)

from:
Charles Christopher, Branch Chief
(Procedure & Administration)

subject:
Return Information in FOIA Requests Submitted Using an Internet Portal

ISSUES

You have requested preliminary guidance from Counsel concerning the legal ramifications of using an IRS-developed internet portal to allow FOIA customers the ability to submit and track requests, and to receive responsive information, including but not limited to information otherwise protected under IRC § 6103, subject to establishing a nexus through appropriate automated access/authentication.

You also requested preliminary guidance on the legal ramifications of the IRS allowing taxpayers to submit FOIA requests using a common internet portal shared by other agencies, as mandated by the FOIA Improvement Act of 2016, Pub. L. No. 114-185 (“FOIA Improvement Act”). Your concerns center around the following issues: (1) confidential tax information, which is included in the majority of the requests received, (2) establishing the right to access by third parties, and (3) authentication requirements.

Our analysis and conclusions are tentative because neither the Service nor the Office of Management and Budget have provided any details regarding the workings of any internet portal. Because section 6103 conclusions are heavily dependent on close factual analysis, the following analysis emphasizes broad principles that should be kept in mind as the Service or OMB considers developing an internet portal.

BASIC PRINCIPLES

BACKGROUND

In pertinent part, the FOIA Improvement Act of 2016 includes the following provisions:

(1) The Director of the Office of Management and Budget, in consultation with the Attorney General shall ensure the operation of a consolidated online request portal that allows a member of the public to submit a request for records under subsection (a) to any agency from a single website. The portal may include any additional tools the Director of the Office of Management and Budget finds will improve the implementation of this section.

(2) This subsection shall not be construed to alter the power of any other agency to create or maintain an independent online portal for the submission of a request for records under this section. The Director of the Office of Management and Budget shall establish standards for interoperability between the portal required under paragraph (1) and other request processing software used by agencies subject to this section.

5 U.S.C. § 552(m).

The new law directs the Office of Management and Budget and the Attorney General to ensure the operation of the online request portal. Neither office has yet provided any guidance on this issue.

We understand that PGLD is considering the procurement of technology which would allow the Service to operate its own site for the electronic submission of FOIA requests. Such a site could be maintained independently of the consolidated online request portal, as explicitly provided in the FOIA Improvement Act. Though the standards for interoperability referenced in 5 U.S.C. § 552(m)(2) have not yet been promulgated, we consider it reasonable to assume that a Service-controlled independent online portal could be maintained even after the consolidated online portal is established.

ANALYSIS AND CONCLUSIONS

Confidential Tax Information in FOIA Requests

If the Service opts to maintain an independent online portal for FOIA requests, all information submitted to the portal it would be “received” or “collected” by the Service. As a result, any information in a FOIA request that fits the definition provided in § 6103(b) would become return information subject to the confidentiality strictures of § 6103. This includes a taxpayer's name, mailing address, and taxpayer identification number, as well as the fact of whether the taxpayer is currently subject to examination, investigation, or processing by the Service. A taxpayer may also choose to attach a copy of a tax return to a FOIA request. The Service will be obligated by § 6103 to protect this information from disclosure. Any disclosure of such information not authorized by § 6103 could subject the government to criminal or civil liability under §§ 7213 or 7431, respectively.

On the other hand, information submitted to an online portal maintained by an entity other than the Service would not likely be considered return information, per se, upon submission. As such, further disclosure of information submitted to a non-IRS portal would not be prohibited under § 6103, and would not subject the government to liability under §§ 7213 or 7431. We note, however, that other laws governing the disclosure of private information may apply to information submitted to a government-wide portal, and may subject the agency maintaining the portal to liability under those laws.

The lawful disclosure of taxpayer information has been circumscribed by IRC § 6103 in a highly specific, detailed, and fact-dependent manner. Such facts include the substance of the information in question, the origin of the information, the entity in possession of such information at the time of disclosure, the reason for disclosure, and the venue in which the information is disclosed. One or more of these facts may affect the threshold determination as to whether the information fits the statutory definition of “return information,” as well as the determination as to whether any exceptions in the statute allow disclosure of the information. We note that IRC § 6103 provides no specific exception allowing disclosure of a return or return information received by the Service as part of a FOIA request.

A “return,” as defined in § 6103(b), must be “filed with the Secretary.” If a taxpayer attaches a previously filed return document to a FOIA request, it is likely that it would be protected as confidential under § 6103. However, a copy of a return document that has not yet been filed pursuant to any obligation imposed by the IRC would not likely enjoy such protection until the time it is actually filed.

The fact of filing or not filing is not necessarily dispositive for information which is considered “return information” (as distinct from a return itself). Generally, information which fits the § 6103(b)(2) definition becomes return information upon “passing through” the Service, without the added requirement of being “filed.”¹

The Internal Revenue Code does not obligate the Service itself to maintain the confidentiality — i.e., to avoid disclosure — of tax information provided to, or maintained by, an entity other than the Service, and does not provide a remedy for disclosure of such information.² While the plain language definition of “return information” in § 6103(b)(2) seems to encompass virtually any type of information about a taxpayer that might come into possession of the Service, courts have consistently found that the same information, when inspected, maintained, or disclosed by a government entity other than the Service, does not constitute return information.³ In advising the Service, Chief Counsel has previously taken the position that the entity in possession of information can be determinative of whether it is deemed return information protected by § 6103 — even if the identical information subsequently or concurrently in the hands of the Service is protected as confidential return information.⁴ Moreover, courts have consistently held that to be considered return information, the information must not only pass through the Service, but it must also have been submitted “with respect to a return or with respect to the determination of . . . liability” under the Internal Revenue Code.⁵ Under current jurisprudence, it would be difficult to argue that financial, tax-related, or other information submitted with a FOIA request was submitted pursuant to the requester's compulsory filing obligations under the Code.

For the foregoing reasons, we do not foresee participation in a FOIA portal maintained by another agency presenting a risk of exposure to legal liability under the Internal Revenue Code. However, we believe the Service's general obligation to protect return information entails advising any agency maintaining a FOIA portal to provide the utmost security for any information submitted, and to ensure that information in FOIA requests clearly directed to the Service be provided special protection from unnecessary disclosure between receipt at the portal and transmission to the Service.

Providing Tracking information and Responses Using an Internet Portal

The Service's current standards and procedures for electronically providing returns and return information should be applied to any system or process designed for providing information to FOIA requesters whose requests involve returns or return information. For example, the name of a taxpayer who has submitted a FOIA request could be considered return information if the request asked for records pertaining to that taxpayer's liability under the IRC. As such, the Service would be prohibited from disclosing the taxpayer/requester's name or other return information to third parties without rightful access — including another agency maintaining a common internet portal — for the purposes of providing tracking information or records in response to the request.

Authentication Requirements and Establishing the Right to Access by Third Parties

The Service's current standards and procedures for verifying the authenticity and access rights of a requester who submits a FOIA request by mail may be applied to requests submitted using an internet portal.

Treasury regulations require that persons requesting access to records whose disclosure is limited by statute, and which pertain to themselves, when not presenting the request in person, may establish their identity by

• The submission of the requester's signature, address, and one other identifier (such as a photocopy of a driver's license) bearing the requester's signature, in the case of a request by mail; or

• The submission by mail of a notarized statement, or a statement made under penalty of perjury in accordance with 28 U.S.C. 1746, swearing to or affirming such person's identity.

26 C.F.R. § 601.702. The submission of electronically scanned or otherwise reproduced documents equivalent to the documents described above should be sufficient to establish the requester's identity when submitted through an internet-based portal.

Persons requesting records on behalf of or pertaining to another person must provide adequate proof of the legal relationship under which they assert the right to access the requested records. These requesters must furnish a properly executed power of attorney, Privacy Act consent, or tax information authorization, as appropriate. 26 C.F.R. § 601.702. Requests for return information of a corporation, partnership, or subchapter S corporation should conform to the requirements provided at 26 C.F.R. § 601.702(c)(5)(iii)(C).

CONCLUSION

Because information submitted directly to the Service as part of a FOIA request could be deemed “return information” whose confidentiality is assured by § 6103, any internet-based portal for the submission of FOIA requests should provide the same protections against unauthorized disclosure as the Service's other internet-based applications. However, information submitted to an internet portal maintained by another agency would not likely enjoy the specific confidentiality and protection afforded by § 6103, and its disclosure would not likely expose the Service to criminal or civil liability. Nevertheless, as a matter of policy and best practice, given the sensitivity of many FOIA requests for IRS information, the Service should work with other participants in a common portal to establish protocols which will safeguard the confidentiality of the information submitted.

This writing may contain privileged information. Any unauthorized disclosure of this writing may undermine our ability to protect the privileged information. If disclosure is determined to be necessary, please contact this office for our views.

Please call Christopher Valvardi at 202-317-5231 if you have any further questions.