AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 2. Physical Security Program

Section 13. Information Protection

10.2.13  Information Protection

10.2.13.1  (09-30-2008)
Scope

  1. The protection of information is of vital concern to the Service. Every effort must be made to ensure that all documents are provided protection commensurate with the information therein.

  2. For the purpose of this Handbook the terms "tax data" and "tax information" include "return" and "return information" as defined in the Internal Revenue Code (IRC) 6103(b).

  3. In addition to tax data, there are many other documents that require protection from disclosure, such as national security information (NSI) (classified), Law Enforcement Manuals, informant communications, personnel files and employee medical records, investigator files, security clearance files, employment testing materials, grand jury information, passwords, and proprietary information belonging to either the IRS, contractors, or taxpayers.

  4. Information such as training material, statistical files and various internal communications may require protection from disclosure and undesired dissemination. The manager of the function originating the information shall determine the degree of protection required, if any, and will work with the physical security staff to implement appropriate protective measures.

  5. The sensitivity of information on media such as magnetic tapes or disks, memory sticks/flash drives, microfilm, microfiche, etc. may not be readily apparent without the use of equipment. Therefore all Service personnel must take care to ensure they store information on approved storage media and that they recognize information which requires protection regardless of the media on which that information is contained. For additional guidance on security of computer systems and magnetic media, see 10.8.1, Information Technology (IT) Security Policy and Guidance.

  6. For Further guidance on protection of information as it pertains to information technology security, refer to IRM 10.8.1

  7. The Chief, Agency-Wide Shared Services, is authorized to prescribe the Information Protection Program for use within the IRS. The Director, Physical Security and Emergency Preparedness, is responsible for oversight of this IRS Program. The Associate Director, Security and Emergency Programs Division, is responsible for planning, developing, implementing, evaluating, and controlling this IRS Program.

10.2.13.2  (09-30-2008)
Disclosure of Tax Information

  1. Tax returns and return information are to be considered Sensitive But Unclassified (SBU) information and should not be subject to disclosure except as specifically provided in TD P 15-71, Chapter III, Sections 23 and 24. Internal Revenue Code 7213 and 7217 include civil and criminal penalties for willful or negligent disclosure of returns or return information.

  2. IRM 11.3, Disclosure of Official Information Handbook, contains guidelines governing the release of data included on tax returns and other information contained in Service files. Release of any tax data whether on microfilm or photocopy impressions to any other Federal or state government activity shall be effected in accordance with the disclosure requirements in IRC 6103 and IRM 11.3. The Disclosure office should be consulted on release of this type of information.

  3. In addition to guarding against unauthorized disclosure of tax and national security information by Service employees, steps must be taken to prevent the possibility of such disclosure by non-Service personnel. Care must be taken to deny unauthorized non-Service personnel access to other than those areas which have been established for serving the public. All tax data in non-secured areas must be containerized during non-duty hours and must be protected from inadvertent disclosures during duty hours.

  4. For tax information disclosure, those individuals who have a "need to know" , such as certain government contractors and vendor personnel, must be informed of the protection requirements under the law and in general must have an NBIC background check. Access to NSI requires more stringent controls which are addressed in IRM 10.9.1 Protection requirements should be provided in writing, citing the prohibitions, restrictions and penalties for unauthorized disclosure of tax return and return information under appropriate sections of the Internal Revenue Code for willful or negligent disclosure of returns or return information.

10.2.13.2.1  (09-30-2008)
Release of Tax Data Outside of IRS

  1. Release of any tax data, whether magnetic media or photocopy impressions to any other Federal or state government activity shall be effected in accordance with IRC 6103 and IRM 11.3, Disclosure of Official Information, which contains instructions for periodic review of the safeguards of Federal tax returns and return information established by such agencies receiving this material. These reviews are required to meet the provisions of IRC 6103(p). Procedures for conducting safeguard reviews can be found in IRM 10.2.3.

10.2.13.2.2  (09-30-2008)
Protection of Informant Information

  1. The identity of persons who furnish information regarding possible tax violations, must be protected. All employees must, therefore, handle such information in strict confidence (See IRM 25.2, Information and Informants Rewards). Such information must be given special handling to avoid disclosure to other than those employees having an absolute "need to know"

  2. As soon as informant correspondence is recognized by mail classifiers or other employees, it will be sealed in "To Be Opened by Addressee Only" envelopes and follow referral instructions in IRM 25.2. These same precautions will also apply to claims for rewards, memorandums of oral interviews with informants, or any other communications which might, in any way, identify informants or by hand carrying the material to the appropriate office.

  3. In order to maintain maximum security, informant communications claims for reward, claims for reward reports, memorandums or documents which identify informants will be afforded containerized protection at all times, except when such documents are being processed. Access to such storage containers will be limited to the person or persons responsible for the security of the documents.

10.2.13.2.3  (09-30-2008)
State and Local Government Tax Returns

  1. State and local government tax returns and other non-Federal tax information will be protected in the same manner as the corresponding Federal tax return or tax information.

10.2.13.2.4  (09-30-2008)
Other Protectable Information

  1. For other categories of protectable information, such as those protected under the Privacy Act, see the Disclosure of Official Information Handbook.

  2. Although the Service rarely has had an occasion to classify a document containing National Security Information, it does have custody of some documents so classified. Protection of Information classified Top Secret, Secret or Confidential under Executive Order 12958 (Classified National Security Information) as amended, to include complete instructions for handling, storing, transmitting and disposing of, as well as instructions for classifying an original document if it becomes necessary will be discussed later in this IRM.

10.2.13.3  (09-30-2008)
Sensitive But Unclassified (SBU) Information

  1. SBU shall be the primary term used to mark sensitive but unclassified information originating within IRS offices. The SBU marking shall identify information, the release of which could cause harm to a persons privacy or welfare, may adversely impact economic, industrial, or international financial institutions; or compromise unclassified programs or essential operations or critical infrastructures. Sensitive information (including tax and tax-related information) is any information which if lost, stolen, or altered without proper authorization, may adversely affect Service operations. For example, unauthorized disclosure of an individual's tax information may cause lawsuits against Service officials as well as the Service, unwanted notoriety for the Service, and public distrust in the Service's ability to protect such information, all of which may result in an increase in noncompliance with tax laws. Unauthorized release of information such as the name and address of an informant may threaten that person's life.

  2. Previous designations to label sensitive information such as Limited Official Use, For Official Use Only, Market Sensitive, Close Hold, Eyes Only, Privileged or Proprietary, et al., shall be discontinued in identifying SBU information produced within IRS unless a particular term is authorized by law, statute, or agency regulation or as identified below. Information so marked is not meant for public release but controlled or restricted in conducting official IRS business. Access to SBU shall be based on a determination that an employee, contractor personnel or consultant requires access to specific SBU information in order to perform or assist in lawful, authorized, governmental functions; a security clearance is not required to access SBU information.

  3. Designating particular information as SBU is not a license to:

    1. conceal possible negligence, waste, or illegal activity

    2. prevent embarrassment to a person, organization, or agency; to restrain competition

    3. prevent or delay the release of information;

    4. restrict access by executive, legislative, or judicial agencies, organizations, or officials.

  4. SBU information is not automatically exempt from provisions of the Freedom of Information Act (FOIA) or the Privacy Act. FOIA request for SBU or other sensitive information must be evaluated to determine in each instance whether one or more FOIA exemptions apply. Such evaluations pertain to both marked and unmarked records that are subject to the FOIA. However, information sensitivity is expected to decrease with passage of time or changes in circumstances and this must be a factor in determining whether SBU information shall be released. The Privacy Act also requires agencies to collect, maintain, disseminate and make available to a person his or her personal information as required by the Act and its implementing regulations.

  5. Except for the term "LAW ENFORCEMENT SENSITIVE" used by other agencies and Department of the Treasury law enforcement components, e.g., Office of Terrorism and Financial Intelligence (TFI); IRS Criminal Investigations (CI) Division; Office of Inspector General (OIG); TIGTA; the Financial Crimes Enforcement Network (FinCEN); and the Office of Foreign Assets Control (OFAC), descriptions similar to "Improper use of the report is a violation of 18 United States Code (USC) 641" used by the Comptroller of the Currency and the Office of Thrift Supervision (OTS) for bank exam/secrecy reports and "tax return information" restricted under Section 6103 of the Internal Revenue Code, no other terms shall be applied to IRS originated sensitive information determined to be SBU unless authorized by law, statute, or regulation.

  6. Other Federal, State and local government agencies, international organizations or foreign governments may use different terms to identify sensitive information. In most instances the safeguards are equivalent to SBU information. Some agencies and international organizations have additional requirements for their sensitive information. For example: Warning: This document is FOR OFFICIAL USE ONLY (FOUO). It contains information that might be exempt from public release under the Freedom of Information Act (5 USC522). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with Department of Homeland Security (DHS) policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid need-to-know without prior approval of an authorized DHS official. IRS users shall follow protective requirements of the U.S. Government agency/organization providing sensitive information but are not expected to re-mark such information. When responding to FOIA/Privacy Act requests for information, updated decisions as to the continued value or need to protect such information shall be noted on documentation for future reference prior to being returned to files. Employees shall contact non-IRS originators of specifically marked SBU information for guidance or instructions on proper handling. In the absence of such guidance the information shall be safeguarded in accordance with the requirements contained in this section.

10.2.13.3.1  (09-30-2008)
Personal Identifiable Information (PII)

  1. PII is a specific type of Sensitive But Unclassified (SBU) information. PII includes the personal data of taxpayers, and also the personal information of employees, contractors, applicants, and visitors to the IRS. Failure to protect PII could result in disciplinary action for employees and managers. Examples of PII include, but are not limited to:

    1. Names

    2. Home addresses

    3. Social Security numbers

    4. Date of birth

    5. Home telephone numbers

    6. Biometric data (height, weight, eye color, fingerprints, etc.)

    7. Other numbers or information that alone or in combination with other data can identify an individual.

10.2.13.3.2  (09-30-2008)
Responsibilities

  1. Treasury/bureau security officials shall provide routine oversight of measures in place to protect SBU information through a program of routine administration and day-to-day management of their information security program.

  2. Supervisors and program managers are responsible for employees being trained to recognize and safeguard SBU information supporting their mission, operations and assets. Supervisors and managers shall also ensure an adequate level of education and awareness is maintained by affected employees. Education and awareness shall begin upon initial employee assignment and annually reinforced through mandatory training, staff meetings or other methods/media contributing to an informed workforce. This includes requiring appropriate security contract clauses for personnel, facilities and information protection through the acquisition process when access to SBU information is necessary.

  3. IRS employees, contractor personnel and consultants must be aware and comply with safeguarding requirements for SBU information. Personnel should also be aware that divulging SBU information without proper authority could result in administrative or disciplinary action (including termination of contract). The lack of a SBU marking does not necessarily mean the information is not sensitive nor does it relieve the creator or holder of such information from responsibility to appropriately safeguard the information from unauthorized use or inadvertent disclosure. Employees are also responsible for protecting SBU information supporting their mission, operations and assets. Protection efforts shall focus on preventing unauthorized or inadvertent disclosure and especially when visitors enter areas where SBU information is handled, processed, discussed or stored. This includes being aware of surreptitious and accidental threats posed by high-end communications technologies carried/used by employees and visitors, such as cell phones (with or without photographic capability), personal data assistants, portable/pocket computers, cameras and other video imaging recorders, flash drives, multi-functional and two-way pagers, and wireless devices capable of storing, processing or transmitting information.

  4. IRS officials who create SBU information are responsible for determining how long the information must be protected, for example, either by date or lapse of a determinable event. Unless otherwise noted on a document, information marked as SBU shall generally no longer be treated as sensitive after 25 years except as provided by statute, law or agency regulation. Previously generated sensitive information of IRS origin shall be subject to release determinations under the FOIA/Privacy Act. Information creators, not system-operators, shall determine what information requires protection depending on the nature of the information and the environment in which it is processed and stored. SBU information shall not remain designated as such when its disclosure would no longer reasonably be expected to adversely impact economic, industrial, or international financial institutions; or compromise unclassified programs or essential operations or critical infrastructures.

  5. The following requirements cover the most sensitive types of information only. Often, the employee or manager working with sensitive information not mentioned herein will be able to determine how much protection is required and how that protection can best be provided.

10.2.13.3.2.1  (09-30-2008)
Marking

  1. Information designated as SBU and requiring such marking as determined by IRS components and especially those identified by FOIA and Privacy Act shall be distinctly labeled so persons authorized access are readily aware of its sensitivity. The lack of SBU markings, however, does not relieve the holder from safeguarding responsibilities. Unmarked SBU information already in records storage does not need to be removed, marked, and restored. However, when individual items are temporarily removed from storage that have no markings (and are subsequently deemed to be SBU) they shall be appropriately marked to reflect the correct status as SBU before being re-filed. Items containing SBU information shall be:

    1. Prominently marked at the top/bottom of the front/back cover and each individual page with the marking "SENSITIVE BUT UNCLASSIFIED" or "SBU" . Information system prompts may be adjusted to incorporate SBU markings in headers and footers.

    2. Portions, paragraphs and subject titles containing SBU information shall be marked with the abbreviation (SBU) to differentiate it from the remaining text. Only when the entire text contains SBU information are individual portion markings optional.

    3. Controlling, decontrolling or originator information markings are not required.

    4. When sent outside IRS, SBU information documents shall include a statement alerting the recipient in a transmittal letter or directly on the document containing SBU information, for example: "This document belongs to the IRS. It may not be released without the express permission of (creating office). Refer requests and inquiries for the document to: (insert name and address of originating office and contact number(s))" .

  2. Protective measures start when markings are applied and end when such markings are cancelled or the records are destroyed. SBU information may be reproduced on regular office copiers to the extent needed to carry out official business. Flawed or otherwise unusable reproductions shall be destroyed via shredding or placement in burn-bags. Although SBU is Treasury’s standard for identifying sensitive information, some types of SBU information might be more sensitive than others and warrant additional safeguarding measures beyond the minimum requirements established herein. Certain information might be extremely sensitive based on repercussions if the information is released or compromised – potential loss of life or compromise of a law enforcement informant or operation. Employees must use sound judgment coupled with an evaluation of the risks, vulnerabilities, and the potential damage to personnel or property/equipment as the basis for determining the need for safeguards in excess of the minimum requirements contained herein.

    1. A green"SENSITIVE BUT UNCLASSIFIED" (see exhibit 10.2.13-1) cover sheet shall be used to prevent unauthorized or inadvertent disclosure when SBU information is removed from an authorized storage location and persons without a need-to-know are present or casual observation would reveal SBU information.

    2. When forwarding SBU information, an SBU cover sheet shall be placed inside the envelope and on top of the transmittal letter, memorandum or document.

    3. When receiving SBU or equivalent information from another U.S. Government agency, it shall be handled in accordance with the guidance provided by the other U.S. Government agency. Where no guidance is provided it shall be handled in accordance with IRS policy as described herein.

10.2.13.3.2.2  (09-30-2008)
Handling, Dissemination, and Access

  1. Information designated as SBU shall be orally, visually, or electronically disseminated in such manner to avoid access by unauthorized persons. Tax information will not be released outside the Service except as provided in the Internal Revenue Code. Precautions might include preventing visual access and restricting oral disclosure to designated individuals. Access to SBU information shall be on a need-to-know basis as determined by the holder of the information. However, where there is uncertainty as to a person’s need-to-know, the holder of the information shall request dissemination instructions from his or her next level supervisor or manager. Holders of SBU information shall comply with any additional access and/or dissemination restrictions cited on the document. Unless marked to the contrary, SBU information officially released to the IRS may be provided to another U.S. Government agency without prior permission of the originator. Where there is uncertainty as to whether release information or not, the holder of the information shall request release instructions from his or her next level supervisor or manager.

10.2.13.3.2.3  (09-30-2008)
Storage

  1. A document containing information that requires protection must be stored in accordance with minimum protection standards whenever it is not in the custody of an authorized IRS employee. SBU information shall be stored, at a minimum, in a file cabinet, desk drawer, overhead storage bin, credenza, or similar locked compartment. SBU information may also be stored in a room or area with physical access control measures affording adequate protection and preventing unauthorized access by the public, visitors, or other persons without a need-to-know. Examples include, but are not limited to, a key-locked room, or restricted access work area controlled by a cipher lock or card reader. To the extent possible, SBU information stored in the same container used for safeguarding classified information shall be filed separately from classified information. When SBU and classified information are co-mingled in an IRS document or file, the required protection for the particular file will be governed by the highest level of classified information.

  2. Field employees, at times, have sensitive information at the taxpayer's site which should be stored at an IRS facility. Service managers must ensure that employees adequately secure such information at the taxpayer's site. Sensitive tax information, such as agent's work papers, original returns, examination plans, probes, fraud data, etc. which is housed at the taxpayer's site, must be stored in a container under the control of the responsible Service employee. This container must be either a security container furnished by the Service, or if using a taxpayer furnished container, it must be modified by the Service (e.g., bars and locks) so that the Service is assured that the taxpayer cannot access the container. During duty-hours, the data must be under the personal custody of the Service employee if it is not containerized. If a lockable and suitable container cannot be provided, sensitive tax information will not be left at the taxpayer's site.

10.2.13.3.2.4  (09-30-2008)
Transmission

  1. Tax information transmitted from one location to another must be provided adequate safeguards. If a person hand carries material in connection with a trip or in the course of daily activities, it should be kept with him or her to the extent possible. If tax information must be left in an automobile, it should be locked in the trunk. If the vehicle does not have a trunk the material should be concealed from plain view and secured in some manner. In either case, the vehicle should be locked and the material left unattended for only a short period. Hotel/motel rooms are usually not good locations to secure tax information; however, if the material must be left in such a location, it should be locked in a briefcase and concealed to the extent possible.

  2. If SBU information is being moved from one building to another (even within the same fence line) or one location to another even if it is a short distance, all steps must be taken to protect the information from unauthorized disclosure, loss, damage or destruction. Procedures listed below are the minimum that shall be followed when transporting/transmitting SBU information.

    1. SBU information to be mailed within the United States and its territories shall be placed in an enclosed envelope/container or double wrapped in an opaque material and sealed to reveal evidence of possible tampering, prevent inadvertent damage, destruction, loss, disclosure, and/or opening. The envelope/container shall bear the complete name and address of the sender and intended recipient or program office. SBU information may be opened and examined by mail room personnel in the same manner in which other incoming mail is evaluated and determined to be safe for internal delivery. SBU information shall be mailed by U.S. Postal Service (USPS) First Class Mail. Use of express mail services or commercial overnight delivery service is authorized, as warranted. If information is transported via personal or rental vehicles, vehicles used to transport sensitive information must be enclosed and locked.

    2. When sent to overseas offices, SBU information shall be transmitted electronically and may be encrypted for purposes of transmission. If serviced by a military postal facility, i.e., APO/FPO, SBU information may be mailed directly to the recipient. Where the overseas office is not serviced by a military postal facility, the information shall be sent through the Department of State’s (DOS’s) unclassified diplomatic pouch. Advanced coordination with State officials shall be made to ensure delivery at the final destination meets Treasury/bureau needs and State’s schedule for such deliveries.

    3. When transmitting SBU information via FAX, secure fax is encouraged. However, SBU information may be transmitted via unsecured fax unless verbal or written restrictions have been cited by the originator. Where an unsecured fax is used, the sender shall be reasonably assured by the intended recipient that the information will not be left unattended or subject to possible unauthorized disclosure on the receiving end. Such assurance might entail the recipient standing by to receive SBU information and immediately phoning the sender to verbally acknowledge receipt. The recipient of the information shall comply with any access, dissemination, and transmittal restrictions cited thereon or verbally communicated by the originator.

    4. The use of a Secure Telephone Unit (STU III) or Secure Telephone Equipment (STE) is encouraged though not required, for transmitting SBU information. When using regular office telephones, users shall confirm speaking to an authorized person before discussing the information, and inform the person that the forthcoming discussion will include SBU information and identify those part(s) of the discussion that are sensitive. Only under exigent circumstances should voice-mail messages containing SBU information be left for a recipient. Thereafter, IRS IT personnel shall be engaged to effectively delete such messages except where the message itself is regarded as evidence by a competent investigative authority.

    5. IRS internal E-mail systems shall not be used for the transmission of SBU information unless the message is encrypted.

  3. All shipments of tax returns and return information (including magnetic media and microfilm) from any processing center to the National Office, the Computing Centers, other IRS offices or other agencies and other jurisdictions, will be documented on a Document Transmittal Form 3210, see Exhibit 10.2.13-2, or similar form and monitored to ensure that each shipment is properly and timely received and acknowledged. Every Service office engaged in the shipment of tax returns and return information shall designate individuals to be responsible for monitoring the shipments.

    1. Mass Storage Media will be transmitted in accordance with IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

  4. Tax data being retired to Federal Records Centers will be transmitted with SF 135, Record Transmittal and Receipt, see Exhibit 10.2.13-3. Column "f" of this form will contain the following statement: "These are restricted records and must be guarded at all times from disclosure to unauthorized persons."

  5. Instructions provided in IRM 1.15.29, Records Control Schedule for Service Center Operations will be followed for the packing and shipping of tax data and all shipments will be coded "W" to require both restricted access and witnessed destruction.

  6. Tax data transmitted to other authorized agencies and jurisdictions will be transmitted in accordance with this guidance and recordkeeping requirements of IRM 11.3, Disclosure of Official Information. These instructions do not apply to tax data transmitted to foreign governments in accordance with tax treaties.

10.2.13.3.2.5  (09-30-2008)
Disposition and Destruction

  1. Disposition and destruction of tax information must be in accordance with the IRM 1.15.2, Types of Records and Their Life Cycle, and IRM 1.15.3, Disposing of Records. Although IRS employees may know the proper methods of destroying tax data, management must reinforce this knowledge by including document destruction as a topic in orientation sessions, periodic group meetings and other awareness sessions.

  2. Waste material generated in the processing of tax documents, protected data or other related documents must be destroyed by burning, disintegrating, pulping, shredding or by any other manner which in the judgment of the responsible security official renders the information contained in such material irrecoverable. The fact that material has been identified for destruction does not change the requirement to provide appropriate protective measures. Waste material must be provided the protection equal to that required by the most protected item. This material may include, but is not limited to, extra copies, photo impressions, microfilm, printouts, computer tape printouts, IDRS printouts, notes, work papers or any other material containing tax information which has served its purpose. Disposition of magnetic media can be found in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

  3. Waste material generated in the processing of tax documents, protected data or other related documents must be placed in receptacles specifically marked for sensitive information (i.e. shred material, burn, sensitive). Guidelines provided below must be followed in the protection and destruction of all sensitive waste material and care must be taken to ensure that sensitive information is not discarded in regular trash bins. Managers should periodically review work areas to make sure that sensitive waste material is being discarded in an appropriate manner.

10.2.13.3.2.6  (09-30-2008)
Destruction Precautions

  1. The purpose of destroying protected information is to keep the information from being disclosed to unauthorized personnel. Protected information on any media will be removed, obliterated, or the media destroyed by or in the presence of an IRS employee. Security personnel will work with managers to develop and implement local procedures to enhance the concepts outlined here.

  2. In the event tax information media is to be collected and destroyed by an independent contractor, to preclude the necessity of having an IRS employee present during destruction, the contract must include the safeguard provisions required by IRC 6103(n) and regulations therein. The provisions of the contract must allow for IRS inspection of the contractor facility and operations to ensure the safeguarding of IRS information. Waste material must be maintained in a secured container in a secured area to prevent sensitive information from unauthorized disclosure or access. The contractor must provide a certificate of destruction.

  3. Paper data will be destroyed in one of the following ways:

    • shredding to effect 5/16 inch wide or smaller strips

    • pulping to be accomplished in such a manner that all material is reduced to particles one inch or smaller

    • disintegrating to be accomplished with 1/2 inch or smaller screen

    • burning to effect complete incineration.

  4. When it becomes necessary to store protected information which has been collected for destruction, it will be provided protection equal to that required by the most protected item. All tax data will be destroyed by or in the presence of an IRS employee or authorized contract employee.

  5. Protected information contained on any other form of media will be removed, obliterated, or the media destroyed by or in the presence of an IRS employee or contractor employee in such a manner that the information is totally unrecoverable. For guidance on disposition of magnetic media, see IRM 10.8.1.

  6. After the protected information has been destroyed as specified in these standards, there are no restrictions on how or by whom the material will be collected and transported.

  7. To reduce the cost involved in destroying tax data, local procedures will be developed to prevent employees from throwing coffee cups, lunch bags, newspapers, etc., in receptacles reserved for protected information.

  8. There may be areas or activities where the volume of paper documents containing tax information is sufficient to make it more practical to destroy all documents in the area of activity.

10.2.13.3.2.7  (09-30-2008)
Recycling

  1. information or other sensitive information may not be placed in regular recycling containers, but must be placed in secured containers and must be clearly marked.

  2. The preferred approach is that sensitive information be segregated and shredded in accordance with guidelines contained in section 10.2.13.3.2.6, prior to turning it over to the recycler.

  3. Unshredded sensitive information may be turned over to a contractor provided the contract includes necessary safeguards that will ensure compliance with 6103(n) requirements, provides for periodic safeguard reviews, and includes language describing methods of collection, pick-up, storage and disposition. The contract should also include provisions for a Certificate of Destruction.

  4. Another method is to have IRS personnel observe the destruction of sensitive information upon delivery to the recycler. This allows for destruction of sensitive information while maintaining custody of the material up to the moment of destruction. Again the contractor must be in compliance with 6103(n) requirements which provides for safeguards and periodic safeguard reviews. However, this method is not recommended because of the resources that would be required.

10.2.13.4  (09-30-2008)
Information Security During Office Moves

  1. When it is necessary for an office to move to another location, plans must be made to properly protect and account for all tax data and other information, as well as government property. The circumstances of the move must be carefully considered (e.g., the distance involved and the method to be used in making the move). Tax documents and other information will be kept in locked cabinets or sealed in packing cartons while in transit. Accountability will be maintained to ensure that cabinets or cartons do not become misplaced or lost during the move. Throughout the move, classified material and other critical material will remain in the custody of an IRS employee with the appropriate clearance and need to know. The precautions taken to protect Government property during the move will be commensurate with the type and value of property involved. Small items of high value will be packed in cartons or moved in locked cabinets. Accountability will be maintained throughout the move.

Exhibit 10.2.13-1  (09-30-2008)
Sensitive But Unclassified Cover Sheet

This image is too large to be displayed in the current screen. Please click the link to view the image.

Exhibit 10.2.13-2  (09-30-2008)
Document Transmittal Form

This image is too large to be displayed in the current screen. Please click the link to view the image.

Exhibit 10.2.13-3  (09-30-2008)
Records Transmittal and Receipt Form

This image is too large to be displayed in the current screen. Please click the link to view the image.

More Internal Revenue Manual