IRS lags on privacy assessments: TIGTA
The IRS needs to conduct privacy assessments for the 54 percent of its computer systems that have not been assessed already in order to protect taxpayer or employee data they collect and process. The agency also has not adequately monitored its compliance with privacy laws, said the Office of Treasury Inspector General for Tax Administration.
'As a result, the risk is increased that taxpayers' identities could be stolen and used for unlawful purposes,' said Michael Phillips, deputy inspector general for audit in a recent report
He cited the publicity over privacy and security from the theft of a notebook PC containing the personal data of millions of veterans because it could have led to identity theft. The IRS receives more than 130 million individual taxpayers' income tax returns. The personal information contained in these returns is converted into electronic format and used in 240 IRS computer systems.
Although the IRS has improved privacy, including with a working group that reviews privacy and disclosure issues and by creating an online privacy training segment, it still does not comply with legislative privacy requirements, the report said.
TIGTA, at the time of the audit last year, could not locate privacy impact assessments for 130 of 241 IRS systems. The missing privacy assessments were due to the lack of emphasis on privacy and the decision to not require that all systems be certified and accredited under the Federal Information Security Management Act requirements.
In addition to conducting privacy assessments on all systems and projects that collect personally identifiable information, the IRS should establish a centralized repository for all privacy assessments in a searchable, electronic format and verify the accuracy of the inventory quarterly. The agency should also provide routine evaluation of employee privacy training, and develop a system for tracking and monitoring these activities.
The IRS, which agreed with TIGTA's recommendations, said in its recent response that it would annually reconcile the privacy assessment inventory to existing system inventories and provide information to the agency business units that are responsible for the systems by October 2007.
'The issue of privacy and security over personal information is a top priority for the IRS,' said Daniel Galik, chief, IRS mission assurance and security services.
The IRS also is developing an electronic privacy assessment inventory, which will be implemented next October.