AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 30. Administrative

Chapter 6. Security and Emergency Preparedness

Section 1. Security of Confidential Information, Official Documents, Tax Data, Personnel and Property

30.6.1  Security of Confidential Information, Official Documents, Tax Data, Personnel and Property

30.6.1.1  (01-30-2008)
Policy and Guidelines

  1. This section establishes policies and guidelines for the security of information, documents, personnel, and property in the Office of Chief Counsel.

  2. Security management and procedures will be determined by the Associate Chief Counsel (Finance & Management) in his/her role as the Designated Accrediting Authority (DAA), using the following as guidance after taking into account the risks and needs of the Office of Chief Counsel:

    • The Privacy Act of 1974

    • Federal Information Security Management Act (FISMA) of 2002

    • OMB Circulars A-123 and A-130

    • Treasury Directive TDP 85-01

    • Federal Information Processing Standards (FIPS)

    • Public Law 105-95

  3. Additionally, such procedures will be consistent with the provisions of IRC sections 6103, 7213, 7217 and 7431.

30.6.1.1.1  (01-30-2008)
Security of Information, Documents, and Property

  1. Employees are responsible for the protection and proper disposition of all information, documents and property in their possession or control. They must make every effort to protect information, documents and other property entrusted to their care and prevent unauthorized entry into areas where the information, documents and property are located.

  2. The guidelines included in this section are applicable to employees working in flexiplace locations. Files containing IRS information or data will be secured when not in use or in the possession of the employee.

  3. For guidelines concerning Chief Counsel and IRS information systems, employees should consult their servicing MITS organization or IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.

30.6.1.1.2  (03-29-2006)
Security Responsibilities

  1. The responsibilities of managers are to:

    • Support safety and security programs and policies

    • Ensure adequate training of personnel in safety and security (e.g., fire drills)

    • Discuss safety and security procedures with employees at least annually

    • Ensure security measures are followed to protect life, information, facilities, and property within their areas

  2. The responsibilities of employees are to:

    • Support safety and security programs and policies

    • Report accidents or incidents promptly

    • Assist in the investigation and removal of hazards

    • Be alert to strangers or suspicious packages in the work area

30.6.1.2  (03-29-2006)
Security of Confidential Information, Official Documents and Tax Data

  1. Sensitive But Unclassified (SBU) information is any information considered sensitive or critical due to the risk and magnitude of loss or harm that could result from unintentional or deliberate disclosure, alteration or destruction. SBU information includes:

    • Tax data (e.g. tax returns, returns information, and taxpayer information)

    • Law enforcement information

    • Proprietary information (e.g., contracts, solicitations)

    • Mission-critical information

    • Information subject to the Privacy Act

    Note:

    The Privacy Act of 1974, 5 U.S.C. 552a, provides statutory recognition of an individual’s right to privacy. Recorded information which is retrieved by reference to a name or other personal identifier, such as a social security number, is privacy information.

  2. All employees who have had access to tax data or privacy information are prohibited from disclosing such information except as authorized by law or regulation (see IRM 11.3, Disclosure of Official Information). Employees should safeguard SBU information and avoid the loss or unauthorized destruction of files, correspondence, returns, return information and records, or the unauthorized disclosure of their contents.

  3. Standard practice is to maintain SBU files and documents in locked cabinets during nonworking hours and during periods when the work area is vacant. Security guidelines will be met if the materials are in an employee’s private locked office.

  4. SBU information left on desks, workstations and in conference rooms/work rooms at lunch time, break time, and other times during the workday must be secured or monitored by an employee so that unauthorized access is prevented.

  5. Employees should immediately report allegations or information regarding unauthorized disclosure of tax data or privacy information to their manager for referral to the Treasury Inspector General for Tax Administration (TIGTA) office.

  6. Detailed information is available in:

    • CCDM 39.1.2, Government Ethics Programs, http://publish.no.irs.gov/getpdf.cgi?catnum=29355

    • IRM 1.16.13, Information Protection

    • IRM 1.4.6, Managers’ Security Handbook

    • Document 10281, Safeguarding Taxpayer Records — Renewing our Commitment

    • IRM 1.9, National Security Information

30.6.1.2.1  (01-30-2008)
Documents Classified as "Official Use Only"

  1. Within the Office of Chief Counsel, documents may be classified Official Use Only (OUO) by the persons authorized in Delegation Order No. 89, Administrative Control of Documents and Material, as revised (see IRM 1.2.49, Delegations of Authority for Communications, Liaison and Disclosure Activities). This classification is used for documents which may be made available only to authorized personnel.

  2. The overall principle is that the greatest amount of information will be made available to the public whenever possible. The OUO classification will generally be used only for law enforcement matters if publication would hinder the law enforcement process. OUO classification is generally invoked word by word or line by line, so that only the specific words or lines that need to be classified are in fact classified.

  3. The classification of materials as Official Use Only requires the concurrence of the office of the Director, Governmental Liaison and Disclosure, and shall be coordinated by the Deputy Associate Chief Counsel (Legislation and Policy).

  4. For additional guidance on use of the Official Use Only classification, see IRM 11.3.12, Classification of Documents, http://publish.no.irs.gov/getpdf.cgi?catnum=30435.

30.6.1.2.2  (03-29-2006)
Disposition of SBU and OUO Information

  1. All Sensitive But Unclassified (SBU) documents and documents classified "Official Use Only" (OUO) must be placed in a designated container for disposal, separate from wastepaper baskets or paper recycling receptacles.

  2. In the Headquarters Office, each Administrative Officer will establish a pick-up point in the office for collection and proper disposal of SBU and OUO information.

  3. In field offices, each Finance and Management (F&M) Office Manager is responsible for establishing procedures for the proper disposal of SBU and OUO information.

30.6.1.2.3  (01-30-2008)
Electronic Mail

  1. Electronic mail (e-mail) is provided for official business purposes.

  2. Employees should evaluate the propriety of e-mail as the communication vehicle for particular information or work products. If there is doubt as to whether e-mail is appropriate, employees should check with their manager. Guidance on the use of e-mail may be found in IRM 1.10.3, Standards for Using E-Mail, http://publish.no.irs.gov/getpdf.cgi?catnum=34421.

  3. Confidentiality requirements for taxpayer returns and return information, as those terms are defined in IRC 6103(b)(1) and (2), are not changed by the use of e-mail.

  4. Where appropriate, Enterprise Remote Access Protocol (ERAP) and encryption should be used for e-mail to IRS employees.

  5. E-mail is subject to disclosure under the Freedom of Information Act (FOIA) and the applicable rules of civil or criminal discovery in litigation applies to the same extent as paper documents. Communications for which privileges may be available (e.g., attorney-client, attorney work product) apply to e-mail as well as to traditional formats.

  6. Record retention and preservation guidelines apply to e-mail communications based on their content. Guidelines may be found in IRM 1.15.6, Managing Electronic Records, http://publish.no.irs.gov/getpdf.cgi?catnum=31431and in the records control schedules for Chief Counsel (see CCDM 30.6.1.2.4).

  7. Routing and review procedures for e-mail are the same as for letters and memoranda. Unless otherwise requested or unless simultaneous review is necessary, work products should be sent to the addressee(s) through customary supervisory/review channels.

  8. "Broadcast/All User" e-mail messages should receive pre-authorization in the headquarters office by an Associate Chief Counsel. In field offices, "All User" messages should be approved by the Area Counsel; cross-functional messages should be approved by the F&M Area Manager. "All User" e-mail messages should include the name and title of the authorizing official.

30.6.1.2.4  (01-30-2008)
Records Statutes, Records Control Schedules and Disclosure

  1. For assistance with legal questions concerning the application of Federal records statutes or regulations, contact the Associate Chief Counsel (General Legal Services).

  2. The records control schedules for Chief Counsel can be found at:

    • IRM 1.15.13, Records Control Schedule for Chief Counsel, http://publish.no.irs.gov/getpdf.cgi?catnum=30982

    • IRM 1.15.14, Records Control Schedule for Chief Counsel/Associate Chief Counsel / Tax Exempt and Government Entities (TE/GE), http://publish.no.irs.gov/getpdf.cgi?catnum=30983

    • IRM 1.15.15, Records Control Schedule for Regional/District Counsel, http://publish.no.irs.gov/getpdf.cgi?catnum=30984

  3. Contact the National Records Officer or the local records officer with questions about the existence or identity of general records schedules or record control schedules covering a particular record or records.

  4. For assistance with issues related to accessing or disclosing Service records pursuant to IRC § 6103, FOIA, or the Privacy Act, contact Branches 6 and 7 in the Office of the Associate Chief Counsel (Procedure and Administration).

30.6.1.3  (03-29-2006)
Security of Personnel and Property

  1. The Office of Chief Counsel is committed to providing for the security of its employees and will seek to minimize or eliminate safety hazards and to encourage safe practices. Further information can be found in IRM 1.14.5, Occupational Safety and Health Program, http://publish.no.irs.gov/getpdf.cgi?catnum=31452.

  2. The Office of Chief Counsel will follow the guidelines established by IRS, Department of the Treasury, GSA, and the Department of Homeland Security.

  3. Employees should ensure that information, documents and property entrusted to them are secured. Those who are in private offices have the responsibility of locking doors when leaving their work areas. Employees should keep personal valuables in their possession.

  4. Employees are responsible for preventing unauthorized entry into areas where government information, documents and property are located.

  5. At the close of business, managers should ensure that doors leading into areas under their control and supervision are locked.

  6. Employees should immediately report burglary, robbery, or theft of government or personal property to their manager and to the servicing Security Office. All thefts, no matter how small, should be reported.

30.6.1.3.1  (03-29-2006)
Identification Media

  1. Employees are responsible for the security of pocket commissions, ID cards (badges) and other types of identification media issued to them. Identification media should be in the possession of employees and should never be left unattended in briefcases, unlocked desk drawers, vehicles, etc. When not in use they should be stored in a locked container or left with a manager.

  2. Employees will display ID cards at all times while in IRS facilities.

  3. Employees must immediately report the loss, theft or destruction of identification media through their manager to the servicing Security office. The report should explain the circumstances and describe the recovery attempts made.

  4. The recovery of any type of identification media should be reported through channels to the issuing Security office.

30.6.1.3.2  (01-30-2008)
Protection Standards

  1. The policy of the Office of Chief Counsel is to provide reasonable protection commensurate with the nature and value of the information or property involved. Protective measures will vary by location, function and facility.

  2. In general, access to space, property and the information contained therein will be restricted to those with a need for access.

  3. For Counsel-specific guidelines, see CCDM 30.5.1, Space, Property, Procurement, and Telecommunications, http://publish.no.irs.gov/getpdf.cgi?catnum=29063.

  4. For IRS access and protection standards, see:

    • IRM 1.16.12, Facility and Property Protection, http://publish.no.irs.gov/getpdf.cgi?catnum=31802

    • IRM 1.16.14, Methods of Providing Protection, http://publish.no.irs.gov/getpdf.cgi?catnum=31804

    • IRM 1.16.15, Minimum Protective Standards, http://publish.no.irs.gov/getpdf.cgi?catnum=31805

  5. Where feasible, reception areas will be provided. Conference rooms and other areas expected to be used by visitors will be placed near entrances and away from secured or restricted areas.

30.6.1.3.3  (03-29-2006)
Access Control

  1. Employees will be required to sign a receipt for door keys, building keys and electronic access cards issued to them. Under no circumstances should keys be duplicated by employees.

  2. Employees are responsible for reporting the loss of keys or access cards to the Administrative Officer (employees located in Headquarters offices) or F&M Office Manager (field offices). The Administrative Officer or Office Manager is responsible for reporting key reassignments and losses to the local IRS Security office.

  3. Codes for combination locks and key pads should be changed:

    • At least once every six months

    • When anyone with the current combination leaves or is terminated

    • When an attempt to compromise the combination is made

  4. Keyed locks should be changed periodically as the budget permits.

  5. Electronic access cards, door keys and building keys must be returned when employees resign, retire, are reassigned to another office, or are terminated.

30.6.1.3.4  (03-29-2006)
Mail Handling

  1. In response to various incidents in the US Postal Service (USPS) system, all Counsel mail, regardless of the source or method of delivery (e.g., overnight delivery services), will be opened prior to delivery. The only exceptions are bulk mail and mail that has been irradiated by USPS. Deliveries should be made to the area specified by the Agency-Wide Shared Services (AWSS) representative for the building.

  2. Employees opening mail should take appropriate precautions; protective supplies will be provided by IRS or Counsel.

  3. Office Managers and headquarters Administrative Officers should prominently post guidelines for processing mail and packages in the mail area, including phone numbers for appropriate Security personnel. They may obtain further information from their servicing Security office.

  4. Employees should be alert to suspicious packages which may:

    • Appear unusual

    • Carry excessive postage

    • Display restrictive endorsements such as "Personal" or "Confidential"

    • Contain misspelled or misidentified names, titles, addresses or organizations

    • Be unexpected mail from a foreign country

  5. If a suspicious package is discovered, employees should not handle the package or remove any items from the area. They should leave the area, gently close the door, and contact their manager. If a biochemical substance is suspected, the employee should immediately contact the Security office and follow their direction.

30.6.1.3.4.1  (03-29-2006)
Mail Delays

  1. The current USPS procedures in response to anthrax threats may cause delays in sending mail to the Tax Court, Department of Justice, or other Federal offices in the Washington, D.C. area.

  2. Employees should be aware of possible delays and should consider whether overnight delivery or some form of electronic transmission (fax or e-mail) is a suitable alternative if the material is truly time sensitive.

  3. Procedures for addressing legal issues resulting from delays in mail destined for the Tax Court are covered in more detail in CCDM Part 35.


More Internal Revenue Manual