Agencies and their contractors that receive FTI are subject to the safeguards of IRC §6103(p)(4) and therefore, the agency and their contractors must file a Safeguard Procedures Report (SPR),with the IRS prior to the receipt of FTI. This enables the IRS to review the agencies', and its authorized contractors', procedures to protect FTI from unauthorized inspection or disclosure before the information is released. Agencies must submit a revised Safeguard Procedures Report whenever significant changes occur in their safeguard program or at least every six (6) years; this should take into consideration changes made by agency contractors. See the subsection on " Submission of Safeguard Procedures."

Annually thereafter, agencies submit a Safeguard Activity Report (SAR)to certify that they are continuing to appropriately protect return information.

It is important that these reports are complete and remain current. In order for agencies and contractors to submit acceptable reports, recipients of FTI must be aware of the IRS reporting requirements. The requirements are outlined below and are included in IRS Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies and Entities.

Agencies should make like requirements of their contractors to submit their SPRs and SARs to the agency for routing to the Office of Safeguards.

Agency reports will be evaluated upon receipt. If the reports are complete and no significant questions arise, the evaluation will conclude within 30 calendar days for the SPR and for the SAR, with written notification to the agency (and contractor via the agency.)

The Office of Safeguards assumes a proactive approach to assure that agencies submit complete and comprehensive SPRs. To the extent necessary and possible, agency hands-on guidance/assistance is provided so that the agencies and their contractors will be aware of what is considered FTI, its level of importance, and when an updated report is required.

Agencies are required to develop safeguard procedures for all tax data they receive and all uses of that data by the agency or the authorized contractor. Agencies and contractors receiving FTI under a single section of the Code may have several separate or independent uses of the data within the agency, involving several functional units.

Disclosures Under Multiple Code Sections (Federal Agencies) - Some Federal agencies receive FTI from the IRS under the authority of more than one section of the Internal Revenue Code. In these cases, the agency must distinguish between the IRC sections, and provide safeguard procedures for each program or use. The agency may either file separate Safeguard Procedures Reports or consolidate the separate procedures for the various programs or uses into a single SPR.

Federal, state, and local agencies requesting using Form 8300, Reports of Cash Payments Over $10,000 Used in a Trade or Business, (available information pursuant to IRC §6103(I)(15)) must file a separate SPR for this program. All agencies requesting data under IRC §6103(I)(15) are referred to the Office of Safeguards.

The SPR will be submitted using the approved SPR template available from the Office of Safeguards. The template includes sections for specific required content.

Responsible Officer(s):

Location of the Data - Include an organization chart or narrative description of the receiving agency organization, which includes all functions where tax data must be processed or maintained. If the information is to be used or processed by more than one function, then the pertinent information must be included for each function.

Flow of the Data - The report must contain a flow chart or narrative description of:

System of Records - A description of the permanent record(s) used to document requests for, receipt of, dissemination of (if applicable), and final disposition (return to the IRS or destruction) of the FTI (including all electronic media). Agencies and their contractors are expected to be able to provide an "audit trail" for all information requested and received; the trail is to also include copies or distribution beyond the original document/media.

Secure Storage of the Data - The agency will provide a description of the security measures employed to provide secure storage for the FTI when it is not in current use. Secure storage encompasses such diverse considerations as locked files or containers, secured facilities, key or combination control, off-site data warehousing/storage, and restricted areas. It is requested that Federal agencies submit a Vulnerability Assessment that is to be completed based on General Services Administration (GSA) standards for their building(s) as it pertains to addressing physical security.

Restricting Access to the Data - A description of the procedures or safeguards to ensure access to FTI is limited to those individuals who are authorized access and have a need to know. Describe how the information will be protected from unauthorized access when in use by the authorized recipient. The physical barriers to unauthorized access should be described (including the security features where FTI is used or processed) and systemic or procedural barriers.

Disposal - A description of the method(s) of disposal of the different types of FTI is provided by the IRS, and/or produced by the agency and contractor (e.g., print-outs, back-up tapes and the like), if not returned to the IRS. The IRS will request a written agency report that documents the method of destruction by which records were destroyed (see paragraph (5), System of Records, above).

Information Technology (IT) Security - A description of all automated information systems and networks that receive, process, store, or transmit FTI. These systems must have safeguard measures in place to restrict access to sensitive data (see Publication 1075, Section 5.6). These safeguards should address all key components of IT security. They should:

Disclosure Awareness Program - Each agency and contractor who receives returns and return information must have an awareness program wherein all employees having access to FTI certify annually of the training received and receipt of the confidentiality provisions of the Internal Revenue Code, as well as, the civil and criminal sanctions for unauthorized inspection or disclosure of FTI. A description of the formal program should be included in the Safeguard Procedures Report.

The initial Safeguard Procedures Report should be submitted to the IRS at least 45 days prior to the scheduled or requested receipt initial of FTI.

IRC §6103(p)(4)(E) requires agencies receiving FTI to file a report that describes the procedures established and used by the agency for ensuring the confidentiality of the information received from the IRS. The Safeguard Procedures Report (SPR) is a record of how FTI is processed by the agency; it states how it is protected from unauthorized disclosure by that agency. Annually thereafter, the agency shall file a Safeguard Activity Report (SAR). This report advises the IRS of minor changes to the procedures or safeguards described in the SPR. It also advises the IRS of future actions that will affect the agency's safeguard procedures, summarizes the agency's current efforts to ensure the confidentiality of FTI, and finally, certifies that the agency is protecting FTI pursuant to IRC §6103(p)(4) and the agency's own security requirements.

Whenever legislative changes or new data exchange agreements or Memorandum of Understandings (MOUs) authorize an agency to receive FTI for a new or different purpose, a new or revised Safeguard Procedures Report covering the additional program(s) must be submitted to the IRS.

Agencies shall submit their SAR on the template developed by the Office of Safeguards. The most current template may be requested by contacting SafeguardReports@irs.gov. The SAR should be accompanied by a letter on the agency’s letterhead signed by the head of the agency or delegate, dated.

Changes to information or procedures previously reported, e.g.:

Current annual safeguard activities shall include, at a minimum, the following items:

Agency Disclosure Awareness Program – The agency should describe the efforts to inform all employees having access to FTI of the confidentiality requirements of the IRC, the agency’s security requirements, and the sanctions imposed for unauthorized inspection or disclosure of return information.

Reports of Internal Inspections – The agency should provide copies of a representative sampling of the Inspection Reports and a narrative of the corrective actions taken (or planned) to correct any deficiencies should be included with the annual SAR.

Disposal of FTI – The agency should report the disposal or the return of FTI to the IRS or source. The information should be adequate to identify the material destroyed and the date and manner of destruction, including copies of destruction logs.

Other information – The agency should provide other information to support the protection of FTI, in accordance with IRC §6103(p)(4) requirements.

The agency should report all actions taken, or being initiated, regarding recommendations in the Final Safeguard Review Report issued because of the latest safeguard review.

Planned Actions Affecting Safeguard Procedures - Any planned agency or contractor action which would create a major change to current agency procedures or safeguards will be reported. Such major changes would include, but are not limited to, new computer equipment, facilities or systems to perform programming, processing or administrative services requiring access to FTI.

Agency Use of Contractors – Agencies must account for the use of all contractors, permitted by law or regulation, to do programming, processing or administrative services requiring access to FTI.

Agencies are to submit their reports to the Office of Safeguards electronically. Reports must be sent encrypted via IRS approved encryption techniques. The e-mail address for all reports is: SafeguardReports@irs.gov.

Safeguards personnel need to evaluate SARs thoroughly and quickly. If a SAR is incomplete or unclear, the agency will be contacted and asked to provide the necessary additional information, as may be feasible. The aggregate reports (most current SPR and SARs) will clearly reflect the safeguard procedures in place at that time.

Submission dates for the Safeguard Activity Reports

Delinquent reports, reports with incomplete information or reports which reveal safeguard deficiencies should initially be resolved through informal telephone contact between the reviewer and the agency, in regards to SPRs solicited by the Office of Safeguards.

If an agency or contractor has sent the required report but does not supply the missing information or take corrective action upon request, the reviewer may consider a limited on-site review in order to obtain the information or cause corrective action to be taken.

If the agency fails to respond to a request or refuses to schedule an on-site limited review, then formal procedures to withhold FTI may be initiated under alternative actions ( See IRM 11.3.36.14.3). Conducting a review is an option and not required.

Reasonable attempts, including at least one written request, must be made to obtain a report, missing material, or cause corrective action to be implemented. If an agency fails to respond by sending in an acceptable report, the requested material or take action to correct a deficiency, formal procedures to withhold FTI will be initiated ( See IRM 11.3.36.14).

If any agency or agency contractor fails to respond and is no longer receiving tax data, a written request will be made, to have the agency or contractor destroy any residual data or have it transferred back to the IRS.

If a deficiency is minor, not causing immediate unauthorized inspections or disclosures or the potential of immediate unauthorized inspections or disclosures then the report may be held in abeyance or accepted with the deficiencies noted. The circumstances must be documented, including corrective actions to be taken and scheduled follow-ups by the reviewer.

The steps taken in reviewing reports and/or soliciting additional information from the agency should be well documented. All notes, worksheets, communication contacts, memoranda, and other correspondence will be retained in the file to support decisions made as a result of the process.

If the evaluation of the reports and related materials does not indicate a need for an on-site review, then a letter should be sent to the agency acknowledging receipt and acceptance of the report. The letter will be signed by the appropriate supervisory level. The letter, however, should allow for the possibility of an on-site review, if subsequent information from other sources indicates a need for further investigation. It will be the responsibility of the agency to share the letter with their contractor(s), if information therein is applicable to the contractor(s).

All federal, state and local agency requests for FTI are subject to a Need and Use Determination which is to be documented by the Disclosure Manager with oversight responsibilities for the agency. Disclosure owns the need and use determination responsibility while the Office of Safeguards owns the need and use verification.

Need and Use Determinations are to be made at the time of request, prior to the actual disclosures, and should be a cooperative effort with the state tax agency to accurately determine the minimum amount or information required to accomplish the stated objective(s).

The "basic" agreement provides for the mutual exchange of tax data between specific State tax agencies (IRM 11.3.32.5(1)). The scope of the basic agreement and subsequent implementing agreement will initially be developed and negotiated through discussions between the Governmental Liaison and Disclosure (GLD) Area Manager and the head of the State tax agency (IRM 11.3.32.5(4)).

Specific requests for return information may be related to a state agency project or to a joint project with the IRS, and there may be a separate Memorandum of Understanding covering the project. The Disclosure Manager should ensure that a documented Need and Use Determination is part of the request file.

Although a Need and Use Determination for a specific request may have been completed and documented, the agency may subsequently desire to use the information for a different tax administration purpose. If the subsequent use of the data is for bona fide tax administration purposes, and not in contravention of the Code, then applicable regulations, existing agency agreements, or Service policies, this would not usually be considered unauthorized use of the data as long as notification is given to the Office of Safeguards in the agency's annual SAR.

Need and Use Determinations for state agencies requesting data for tax modeling or revenue estimate purposes will be completed in accordance with IRM 11.3.36.9.1 and Exhibit 11.3.32-6

The Office of Data Services, Governmental Liaison and Disclosure (GLD) will be responsible for maintaining complete and current documentation of the state tax agency’s need for and use of all FTI and data elements which are provided to the agency on a continuing basis pursuant to the implementing agreement.

The Office of Governmental Liaison and Disclosure (GLD) has developed project guidelines for use when developing joint projects with the States. The Office of Safeguards will be consulted on projects regarding any statutory (e.g., Privacy Act or IRC §6103) considerations of the proposed disclosures or exchanges.

Need and Use Determinations reflect the use of the tax data for tax administration purposes. The determination will not be contingent upon a cost-benefit analysis developed to make a business case for the project. However, projects that fall short of their initial objectives or expectations may indicate a need for a subsequent determination regarding the continuation of disclosures for the project.

A Need and Use Review is considered as the verification or confirmation of the Need and Use determination made prior to the release of the requested tax information to the state agency.

An on-site Need and Use Review of each agency receiving FTI will be conducted as part of the Safeguard review.

The on-site Need and Use Reviews are conducted in order to provide a reasonable assurance that the state tax agency’s actually have a need for and use of FTI:

The scope of the review should be broad enough to provide the reviewer with sufficient information to document a conclusion as to the agency’s need for and use of FTI. The reviewer will not make any assumptions regarding the current status (or usefulness) of exchanges that have been routinely in effect for many years.

Other key areas to be reviewed would include (but are not limited to):

Non-use of tax data does not necessarily constitute FTI misuse. However, the objective is to reduce or eliminate unnecessary disclosures of FTI. If the original Need and Use determination was valid, but the actual utilization has been postponed, the reviewer's responsibility is to evaluate whether there is a reasonable expectation that continued retention of the data will be of value to the state for tax administration within a reasonable and logical timeframe .

Office of Safeguards - The results of the Need and Use Review will be included in the Safeguard Review Report In Section G. At a minimum the report must:

All safeguard reviews begin with an evaluation of agency and contractor procedures and activity reports.

The objectives of the evaluation are to identify:

The safeguard review team should develop an effective review plan expending resources only to the extent necessary to ensure that FTI tax returns and return information are protected and are used for a proper purpose.

All safeguard review plans should address the adequacy of computer systems security.

The length of time required for a safeguard review will vary considerably from agency to agency. Factors such as the size and complexity of the agency and of authorized agency contractors, geographic dispersion, the amount and type of FTI disclosed by the IRS, prior safeguard review experience with the agency will influence the time expended on the review.

All personnel participating in a review should have a good understanding of the agency’s systems and procedures for processing FTI, as well as a familiarity with the legal and procedural authorities under which tax data is disclosed to that agency or authorized agency contractor.

A written review plan and/or review preparation checksheet should be prepared for each safeguard review to facilitate control of the review, to provide a permanent record of the review, and to effectively communicate the specific objectives of the review. If the written review plan is used instead of the review preparation checksheet, it should contain the following information:

Contact the agency to establish dates, locations and a tentative review schedule. If reviewing an agency's contractor, initial contact should be made with the agency.

A letter to the agency confirming the intent to conduct an on-site Safeguard Review will be written over the signatory element of the Director, Office of Safeguards, and signed by the reviewer and will include:

The Preliminary Security Evaluation (PSE) conference call will be conducted with agency personnel, especially the agency computer security officer. The PSE conference will focus on: