Requirements for Safeguarding Federal Tax Information

Federal Tax Information (FTI)

FTI refers to data originally sourced from federal tax returns, provided by federal agencies to human service agencies. CDSS receives FTI from the IRS and SSA and provides it to the county Social Services Agency IEVS unit via the BEER and IRS Asset matches in paper format.

The IEVS unit is required to store FTI in a secured environment as described in the “Tax Information Security Guidelines for Federal, State, and Local Agencies” (Pub 1075). All documents and files containing FTI must be identified as federal tax information.” The IEVS Eligibility Examiners (EEs) are the only employees permitted to handle FTI records due to confidentiality requirements.

Note: Because technology changes often, the IRS Office of Safeguards website should be monitored for updates. This website provides information on current and upcoming requirements, resources, and alerts. The current version of IRS Publication 1075 is also available at this site.

Authorized Employees of the County

Only county employees who have a business need to access FTI to perform their duties or fulfill their responsibilities are deemed authorized to access FTI and they must have:

Passed a background investigation under Pub 1075 Section 5.1.1 “Background Investigation Minimum Requirements”
Completed safeguard training specific to FTI
Signed a document certifying:
- Their understanding of their responsibilities for safeguarding FTI
- Their understanding of the requirement to report incidents or breaches (actual or suspected) of FTI to the appropriate federal agencies (IRS, Treasury Inspector General for Tax Administration, and/or SSA)
- Their understanding of the criminal penalties associated with the unauthorized access to and disclosure of FTI.

Voice Over Internet Protocol (VoIP) and FTI

All VoIP systems convert analog audio signals into digital data packets that can be transmitted through networks, including the Internet. Any VoIP systems and certain types of video conferencing using VoIP technology and systems which carry FTI must be secured.

Preventing FTI in VoIP

If the VoIP systems do not meet the requirements for securing FTI as provided in Pub 1075, landline PSTN phone systems must be used, or FTI must not be introduced into the VoIP systems.

The following techniques must be used to prevent FTI from being input into an unsecured VoIP system:

Do not provide details from the IRS Asset or BEER matches
Do not reveal the source of the information
Use vague terms when referencing data and its sources such as “retirement” instead of “your federal retirement benefits from working for the IRS”
Let the client provide details
Provide the information by fax or by email and follow IRS requirements for securely transmitting FTI by fax or email.

Important: Access to FTI by employees during teleworking is strictly prohibited regardless of the means (landline, fax, email, VoIP phone).

Exception: Information is NOT considered FTI when a financial institution, an employer, or the individual who filed the tax return provides the information directly.

Mobile Devices

Due to the vulnerable nature of wireless connectivity and the challenges associated with securing VoIP networks, the use of mobile VoIP devices (phones or tablets) to access FTI is strictly prohibited.

Recording Devices

When speaking to a client about the FTI from an IRS Asset and/or BEER match, the conversation must not be recorded for any purpose by any person or entity. Recording of conversations that may include FTI is strictly prohibited.

Client Authorization

Written authorization from clients is not required to discuss personal information or FTI with them. However, verbal authorization and the documentation of the verbal authorization is required when an interpreter discusses FTI with the client. Before discussing the client’s personal information and FTI with an interpreter, the client must acknowledge and accept that FTI will be shared with an interpreter to continue the discussion. The client’s verbal authorization must be documented in the case journal and must include:

The date and location of the discussion and/or if information was discussed by telephone
That an IEVS match abstract or income documents prompted the need for the discussion
That the conversation was not recorded.

County-Employed and Other Interpreters

A county-employed interpreter who meets the requirements as an authorized employee may interpret and discuss specific FTI for clients. When clients provide their own interpreters, such as friends, family, or any other third party, clients have the right to disclose their personal information and FTI during the discussion.

Contracted Interpreter Services and Offshore Restriction

The contracted interpretation service providers located offshore are not permitted to discuss FTI, and no FTI may be accessed by agency employees, agents, representatives, or contractors located offshore, i.e. outside of the United States or United States territories, embassies, or military installations.

The contracted interpretation services that cover FTI must complete the Sub-Contractor Certification Letter. For further assistance obtaining Sub-Contractor Certification Letter, contact the IEVS Coordinator.

Re-Disclosure Restriction of FTI to Contractor-Owned Systems

The IRS restricts FTI from being disclosed to any contractor-owned systems including the SAWS. FTI received as part of the IEVS IRS Asset and BEER matches should not be documented in the network system components that make up the VoIP system or any computer system that is owned, operated, and administered by a contractor.

Documentation Restrictions

The safeguarding requirements outlined in Pub 1075 also apply to newly created FTI in paper and electronic format. New FTI is created when documents or files containing FTI are copied, scanned, faxed, or FTI is manually typed into a computer application. Creating new FTI can occur when IEVS staff process IRS Asset and BEER matches and:

Generate client or third-party letters containing FTI
Document the processing of BEER or Asset matches in any computer application
Scan documents containing FTI into any computer application.

Important: The creation of a new FTI is not itself a violation of the Internal Revenue Code restriction. Rather the violation occurs when FTI is disclosed to contractor-owned systems. FTI information must not be referenced in the case journal.

To sufficiently protect FTI from being referenced in the case journal:

Document the processing of IEVS matches by using the generic “IEVS Review” for ALL ten (10) matches
Omit comments referring to IRS Asset and BEER matches, tax years, Match Run Dates or report numbers completely
Do not replace any IEVS acronyms with codes.

System Audit

All systems, documents, and files (including electronic formats) containing FTI are subject to audit requirements. The information system audit records must be reviewed and updated weekly. Audit and accountability policies must be reviewed and updated as needed or every three years minimum and audit records should be stored for a minimum of seven years.

Note: Support resources for systems audit can be obtained from the NIST Special Publication (NIST SPs) and the IRS Office of Safeguards website, Audit-related NIST information can be found at the NIST Audit and Accountability Control Family page.