3.2.1 IRS - Safeguarding Requirements
Confidentiality and Safeguarding Information
26 U. S. C. § 6103 Confidentiality and disclosure of returns and return information
26 U. S. C. § 7213 Unauthorized disclosure of information
45 CFR 303.21 Safeguarding and disclosure of confidential information
Confidentiality and Safeguarding Information
IRS - Safeguarding Requirements
Wyoming Child Support Program Rules Chapter 13 Safeguarding and disclosure of confidential information
July 1, 2014
Information received from the Internal Revenue Service (IRS) is subject to strict safeguards and record keeping. As a recipient of federal tax information (FTI), the Wyoming CSP will take specific steps to safeguard and protect FTI. The IRS audits the Wyoming CSP triennially for compliance with these safeguarding requirements. For the penalties associated with the unauthorized disclosure or release of FTI, see 3.2.7 IRS – Unauthorized Disclosure of Information and IRC - SEC Non-Disclosure Oath and Certification of Need to Know Form
The Wyoming CSP Program utilizes IRS information in order to locate non-custodial parents and alleged fathers to establish and enforce support obligations.
FTI is any return or return information received from the IRS or secondary source, such as SSA, Federal Office of Child Support Enforcement or Bureau of Fiscal Service, as defined by the IRS in IRS Publication 1075 – Tax Information Security Guidelines for Federal, State, and Local Agencies (Appendix 3.A). FTI contained in POSSE includes:
Social security numbers,
Federal tax intercepts (payments).
FTI may also include Personally Identifiable Information (PII). FTI may include the following PII elements:
The name of a person with respect to whom a return is filed
His or her mailing address
His or her taxpayer identification number
Social Security Numbers
Bank account numbers
Date and place of birth
Mother’s maiden name
Biometric data (e.g., height, weight, eye color, fingerprints)
Any combination of the preceding
FTI does not include information provided directly by the taxpayer or third parties (third parties do not include the secondary sources identified in Section 1.4.1, Federal Tax Information). If the taxpayer or third party subsequently provides returns, return information, or other PII independently, the information is not FTI as long as the IRS source information is replaced with the newly provided information. Therefore, any FTI or PII provided by the IRS, SSA, Federal Office of Child Support Enforcement or Bureau of Fiscal Service, shall be verified by another source, called “Third Party Verification”, prior to using the information to further the mission of the IV-D child support program
The IRS requires the Wyoming CSP Program safeguard FTI information in the following 4 ways:
1. Establish and maintain a standardized, permanent system of records for a disclosure request.
Wyoming receives all FTI via CyberFusion. All FTI is stored on the Department of Family Services (DFS) servers and is accessible by child support staff via POSSE and Wyoming Enterprise Technology Services staff maintaining the child support system via POSSE, Windows and AIX.
The State CSP Office, State Disbursement Unit, District CSE Offices, Clerks of District Court and Wyoming Enterprise Technology Services should not print POSSE screens containing FTI. For a more detailed discussion, see IRS – Screen Prints (3.2.3).
2. Establish and maintain a secure area or place to store FTI.
Restricted areas within the office are for Wyoming CSP personnel only.
Every office shall maintain a visitor log as described in Visitor Access Log, Agency Employee Authorized Access Log and/or Non-Agency and Contractor Authorized Access Log. Unauthorized individuals may not be in work areas unsupervised.
During customer interviews, only case record information pertaining to that customer is visible on the desk or surrounding areas.
i. Lock the computer when not in use, and ensure that computer displays only the information relating to the customer during interviews.
ii. Sign off terminals when leaving for the day.
Place all case records and customer information in locked file cabinets or other secure locations when not directly working on the contents.
Do not leave case records on chairs, floors, the top of file cabinets, etc., when not specifically processing case information.
At a minimum, ensure that all case records and customer Personally Identifiable Information (PII) are not accessible before leaving the work area, desk and/or office.
Before leaving the work area and/or desk for a short time secure all case records, customer Personally Identifiable Information (PII) and log out of the computer application – POSSE.
When leaving the work area and/or desk at the end of the work day, secure all case records, customer information and log out of the computer application – POSSE and log out of the network.
Check mail trays for customer information regularly and do not leave this material in the mail trays overnight.
Place IRS labels on case files and individual documents within the case file that contain IRS information. (Labels may be obtained from the State CSE Office).
Do not leave printed documents on printer trays.
The office building will be secured by doors with hinges on the inside or, if the hinges are on the outside, the hinges will have non-removable pins.
3. Restrict access to returns.
District CSE Offices and Clerks of District Court have access only to needed FTI .
Ensure after-hours cleaning services sign a General Services Contract approved by the IRS. See Appendix 3.B – Contract for General Services.
4. Provide any other safeguards as necessary.
The source of any payment identified in POSSE not be displayed on any reports.
Implement annual disclosure awareness program (See IRS – Awareness and Training (3.2.2)).
State CSE Office conducts internal inspections and safeguarding audits as required by IRS Publication 1075.
Keys to sites that maintain or store IRS data are marked as Do Not Duplicate and monitored utilizing a Key Control Log).
Authorized POSSE users serving as a second barrier between FTI and unauthorized individuals shall wear a photo identification badge where it can be readily seen.
Every three years, the IRS visits Wyoming to audit the Wyoming CSP. During this audit, the IRS reviews Wyoming CSP policies and procedures and conducts site visits at the State CSP Office along with at least one District CSP Office and Clerk of District Court to ensure FTI is protected as discussed above.
In addition to the IRS audit, the State CSP Office is required to complete a random on-site audit of several locations annually. These locations include the State CSP office, the State Disbursement Unit, the District CSP offices, the Clerks of District Court offices, the State Central Mail office, the Wyoming Department of Enterprise Technology Services IT Operations locations, and the Wyoming Department of Enterprise Technology Services offices of programming staff with access to POSSE data. For more information on the IRS safeguarding visit conducted by the State CSP Office, see 17.4 Audits – IRS Safeguarding Visit.
The IRS Internal Inspection – CSP Office Report is to be completed annually by every District CSP Office Manager. The IRS Internal Inspection – CDC Office Report is to be completed annually by every Clerk of District Court or designee and the State Disbursement Unit (SDU) Manager. The Internal Inspections – IT Operations Report is to be completed annually by the appropriate Wyoming Enterprise Technology Services Managers. The IRS Internal Inspection – Headquarters Office Report is to be completed annually by the CSP State Staff. In addition, each User or IT staff member with access to POSSE data will complete the IRS Internal Inspection – User Questionnaire annually.