(A) Federal tax information (FTI):
definition, usage limitations and notification, and nondisclosure.
(1) FTI is any return or return information
received from the internal revenue service (IRS) or secondary source, such as
the social security administration (SSA), federal office of child support
enforcement, or U.S. department of the treasury - bureau of the fiscal service,
and also includes any information created and/ or maintained by the Ohio
department of job and family services (ODJFS) or a county agency that is
derived from these sources.
(2) FTI
is provided to federal, state, and local agencies by the IRS or the SSA for use
in the cash assistance, food assistance, unemployment compensation, and child
support programs as authorized by the Internal Revenue Code, and is provided
solely for the purpose of performing the responsibilities of each
program.
(3)
26
U.S.C. 6103 (section 6103 of the Internal
Revenue Code) limits the usage of FTI to only those purposes explicitly
defined. The IRS office of safeguards requires advance notification (at least
forty-five days) prior to implementing certain operations or technological
capabilities that require additional uses of the FTI, such as:
(a) Contractor access;
(b) Cloud computing;
(c) Consolidated data center;
(d) Data warehouse processing;
(e) Non-agency-owned information
systems;
(f) Tax
modeling;
(g) Test environment;
and
(h) Virtualization of IT
systems.
(4) Disclosure
of FTI to any contractor is not permitted unless the agency notifies the IRS
office of safeguards, in writing, per the IRS forty-five day notification
reporting requirements and obtains approval prior to re-disclosing FTI to a
specifically noted contractor.
(5)
FTI associated with the treasury offset program (TOP) may not be disclosed to
any contractor for any purpose, except for limited child support enforcement
purposes, as specified in IRS publication 1075,"Tax Information Security
Guidelines for Federal, State, and Local Agencies."
(B) Confidential personal information (CPI)
is defined in section
1347.15
of the Revised Code, and does include FTI, but FTI must meet additional
safeguards as outlined by the IRS.
(C) Safeguarding procedures and controls
ensure the confidential relationship between the taxpayer and the IRS.
Safeguarding procedures and controls are derived from IRS publication 1075,
prepared and updated by the IRS.
(D) The IRS conducts on-site safeguard
reviews of ODJFS safeguard controls, at a minimum once every three years, which
includes an evaluation of the use of FTI and the measures employed by the
receiving agency to protect the data. An independent internal inspection of
specific offices within ODJFS is required every eighteen months. In addition,
periodic independent internal inspections of all local offices must be
conducted to ascertain if the safeguarding controls that are in place meet the
requirements of IRS publication 1075. Offices to be inspected include, but are
not limited to those referenced in paragraph (A)(2) of this rule. Periodic
inspections conducted by program offices of local offices occur every three
years. A record will be made of each inspection, citing the findings
(deficiencies) as well as recommendations and corrective actions to be
implemented where appropriate.
(E)
All program offices and their respective local agencies must ensure procedures
are implemented governing the safeguarding of FTI as defined by IRS publication
1075. Procedures must be updated to reflect any significant program
changes.
(F) Per section 6103 of
the Internal Revenue Code, all agencies receiving FTI are required to provide a
disclosure awareness training program for their employees and contractors.
Disclosure awareness training is described in detail within IRS publication
1075. Employees and contractors must maintain their authorization to access FTI
through annual training and recertification. Prior to granting an agency
employee or contractor access to FTI, each employee or contractor must certify
his or her understanding of the IRS's and the agency's security policy and
procedures for safeguarding IRS information. Employees must be advised of the
provisions of sections 7431, 7213, and 7213A of the Internal Revenue Code
regarding the "Sanctions for Unauthorized Disclosure" and the "Civil Damages
for Unauthorized Disclosure." Agencies must also comply with the requirements
of rule 5101:9-9-25.1 of the Administrative Code.
(G) Additional FTI safeguarding procedures.
(1) FTI must be maintained separately from
other information to the maximum extent possible to avoid inadvertent
disclosures and to comply with the federal safeguards required by paragraph
(p)(4) of section 6103 of the Internal Revenue Code. Agencies with FTI must
also comply with all other requirements of paragraph (p)(4) of section 6103 of
the Internal Revenue Code.
(2) All
information obtained from the IRS must be safeguarded in accordance with the
safeguarding requirements of paragraph (p)(4) of section 6103 of the Internal
Revenue Code, as described in IRS publication 1075.
(H) Prohibition against public disclosure of
safeguards reports and related communications.
(1) ) Safeguards reports and related
communications, such as IRS official agency records that are the property of
the IRS, and IRS records that are subject to disclosure restrictions under
federal law and IRS rules and regulations, may not be released publicly under
state sunshine or information sharing/ open records provisions. Release of any
IRS safeguards document requires the express permission of the IRS. Requests
received through sunshine and/ or information sharing/open records provisions
must be referred to the federal Freedom of Information Act (FOIA) statute for
processing. State and local agencies receiving such requests should refer the
requestor to the instructions to file a FOIA request with the IRS. Additional
guidance may be found at:
http://www.irs.gov/uac/IRS-Freedom-of-Information
and questions should be referred to the safeguards mailbox at
Safeguardreports@irs.gov.
(2) If it
is determined that it is necessary to share safeguarded IRS documents and
related communications with another governmental function/branch for the
purposes of operational accountability or to further facilitate protection of
federal tax information, the recipient governmental function/branch must be
made aware, in unambiguous terms, that the documents and related
communications:
(a) Are the property of the
IRS;
(b) Constitute IRS official
agency records; and
(c) Are subject
to disclosure restrictions under federal law and IRS rules and
regulations.