Memo Clarifies Privacy Policy on Accessing Sensitive Data

Expiration Date: 12-31-2021
Affected IRM: 10.5.1

Date: December 31, 2019

MEMORANDUM FOR ALL OPERATING DIVISIONS AND FUNCTIONS

FROM:
Peter C. Wade
Director, Privacy Policy and Compliance

SUBJECT:
Interim Guidance on Need to Know Access

This memorandum issues privacy policy on Need to Know Access until IRM 10.5.1 is updated. Please ensure that this information is distributed to all affected personnel within your organization who are responsible for protecting sensitive but unclassified (SBU) data, including tax information and personally identifiable information (PII). The policy applies to all employees, contractors, and vendors of the Service.

Purpose: The Interim Guidance (IG) includes specific privacy policy clarifications on what constitutes need to know access for a legitimate business need. Personnel (including current employees, rehired annuitants, returning contractors, etc.) who change roles or assignments may access only the SBU data (including PII and tax information) for which they still have a business need to know to perform their duties. This IG memo is meant to help personnel understand when it is appropriate to access SBU data based on a need to know.

Background/Source(s) of Authority: IRM 10.5.1 is issued under the authority of the Privacy Act of 1974, the Internal Revenue Code, the Taxpayer Browsing Protection Act of 1997, the E-Government Act of 2002 (to include accompanying guidance outlined in OMB memoranda), the Consolidated Appropriations Act of 2005, §522, Treasury Directives, and other federal guidance. For a full listing of privacy laws relevant to this IRM section, refer to Exhibit 10.5.1-2, References.

Effect on Other Documents: This guidance will be incorporated into IRM 10.5.1 by December 31, 2021.

Effective Date: December 31, 2019.

Contact: If you have any questions, please contact me, or a member of your staff may contact Greg Ricketts, Associate Director, Privacy Policy and Knowledge Management, at 901-546-3078, or Gregory.T.Ricketts@irs.gov.

Distribution:

IRS.gov (http://www.IRS.gov)
Commissioner of Internal Revenue
Deputy Commissioner for Operations Support
Deputy Commissioner for Services & Enforcement
Commissioner, Large Business and International Division
Commissioner, Small Business/Self-Employed Division
Commissioner, Tax-Exempt and Government Entities Division
Commissioner, Wage and Investment Division
Chief of Staff
Chief, Agency-Wide Shared Services
Chief, Appeals
Chief, Communications and Liaison
Chief Counsel
Chief, Criminal Investigation
Chief Financial Officer
Chief, Planning, Programming & Audit Oversight
Chief, Risk Officer
Chief Technology Officer
Director, Affordable Care Act Office
Director, Office of Compliance Analytics
Director, Office of Online Services
Director, Office of Professional Responsibility
Director, Office of Research, Analysis and Statistics
Director, Privacy, Governmental Liaison and Disclosure
Director, Return Preparer Office
Director, Whistleblower Office
Executive Director, Equity, Diversity and Inclusion
IRS Human Capital Officer
National Taxpayer Advocate
Treasury Inspector General for Tax Administration (TIGTA)
Associate Chief Information Officer, Cybersecurity

---

Attachment Interim Guidance: PGLD-10-1119-0005

The following changes are hereby effective December 31, 2019, for IRM 10.5.1.

10.5.1.2.8 (MM-DD-YYYY)
Need to Know

(1) Restrict access to SBU data (including PII and tax information) to those IRS personnel who have a need for the information in the performance of their duties.

(2) The term “need to know” describes the requirement that personnel may access SBU data (including PII and tax information) only as authorized to meet a legitimate business need, which means that they need the information to perform their duties. See examples later in this section for explanations of how need to know applies to duties.

(3) Personnel (including current employees, rehired annuitants, returning contractors, etc.) who change roles or assignments may access only the SBU data (including PII and tax information) for which they still have a business need to know to perform their duties. If they no longer have a business need to know, they must not access the information. This policy includes, but is not limited to, information in systems, files (electronic and paper), and emails, even if technology does not prevent access.

(4) Personnel must ensure their own adherence to this need to know policy.

(5) This standard is less stringent than a “cannot function without it” test. For each use, personnel must consider whether they can perform their official duties properly, efficiently, or appropriately without the information. Necessary for official duties in this context does not mean essential or indispensable, but rather appropriate and helpful in obtaining the information sought.

(6) Personnel who have a need to know must be informed of the protection requirements under the law by management and must have an appropriate level of clearance through a background investigation, typically covered by the onboarding and training process.

(7) Need to know supports the “relevant and necessary” aspect of the Purpose Limitation Privacy Principle and the Privacy Act. It conveys the statutory restrictions to disclose protected information to those who have an authorized need for the information in the performance of their duties. The Strict Confidentiality Privacy Principle requires this, as does the NIST Privacy Control for Privacy Monitoring and Auditing and Security Controls in the Access Control family. [PVR-02; PVR-05; Privacy Act; IRC 6103; UNAX; Treasury's Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance; AR-4; NIST 800-53]

(8) Access to classified national security information requires more stringent controls which are addressed in IRM 10.9.1, National Security Information.

(9) Refer to IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for information in the Access by IRS Employees Based on Need to Know section.