IG: IRS not doing enough to safeguard taxpayers' privacy
The Treasury IG says that the IRS has not conducted impact assessments on all of its computer systems, and that it does not pay enough attention to applying privacy laws.
The Internal Revenue Service has not done enough to protect the privacy of more than 130 million taxpayers, according to a Treasury Department Inspector General's report released Oct. 3.
The agency has conducted privacy impact assessments (PIAs) on less than half of its computer system and does not adequately monitor its own application of privacy laws, according to the report from the Treasury IG For Tax Administration.
The E-Government Act of 2002 and IRS guidelines require every computer system or project that collects personal information to have a current PIA on file with the agency’s privacy office. As of August 2005, the IG could not find PIAs for 130 of the 241 IRS computers systems that collect the sensitive information, according to the report.
“We attribute the missing PIAs to the lack of emphasis on privacy issues, and the decision to not require that all systems be certified and accredited,” the report states.
Thus, taxpayers’ identities are at a higher risk of being stolen and used unlawfully, the report found.
The IG recommended that IRS officials build a searchable database of PIAs with quarterly verifications on their accuracy and reinforce the importance of PIA case documentation.
The IG report recommended that officials review employee privacy training and assess whether IRS business units meet regulations.
Despite failures, the IRS’ Office of Privacy and Information Protection enhanced its privacy program in the past two years, according to the IG. Officials chaired a working group to review the issues and created an online privacy-training segment on its Web site.
The privacy office director is responsible for administering the privacy program. Its mission is to ensure that policies and programs incorporate taxpayer and employee privacy requirements and that sensitive information remains protected, secure and private.
National Treasury Employees Union President Colleen Kelley said in a statement that the report emphasizes her belief that the IRS should not turn over taxpayer records to private collection agencies.
“The IRS should be required to get its own house in order and not only meet, but exceed, the privacy standards," she said. "Instead, the IRS is outsourcing the sensitive and private financial information of American taxpayers to private debt collectors, increasing the risk of security breaches exponentially.”
NEXT STORY: NIST highlights RFID risks