The Treasury Inspector General for Tax Administration has issued a new report, “Improvements Are Needed to Ensure the Effectiveness of the Privacy Impact Assessment Process” (Treasury IG pdf; archive pdf), concerning privacy processes at the Internal Revenue Service. The IG conducted the audit of the IRS’s Privacy Impact Assessment (PIA) processes “at the request of the IRS to evaluate its implementation of the privacy provisions of the E-Government Act of 2002 […] In addition, the Consolidated Appropriations Act of 2005, Section 522, requires the Inspector General of each agency to evaluate privacy and data protection procedures.”
The IG found: “The IRS has not established effective processes to ensure that the PIAs are completed timely, updated, and made publicly available and that privacy policies are posted on public websites for all required systems and collections of information. Further, in December 2011, the IRS implemented the Privacy Impact Assessment Management System (PIAMS) to automate the process of completing PIAs in a more efficient and less time-consuming way. However, several key processes were not effectively automated.”
The IG recommended, among other things, “1) establish an annual reconciliation of PIA inventories with information systems and collections of information in the current production environment; 2) document and publicize the customer survey PIA completion process; 3) establish a PIA inventory control process to identify and review systems every three years as required; 4) automate the notification process to alert responsible officials when new or existing PIAs are required to be posted to the IRS public website; and 5) ensure that current and complete standard operating procedures are established and maintained for all PIA processes.”
In response, the IRS “agreed with nine of the recommendations but indicated that it had already implemented two recommendations by overhauling the PIAMS template and involving privacy analysts and other users in requirements gathering and testing of PIAMS functionality. TIGTA did not see evidence of these corrective actions and continues to believe that the PIAMS version, at the time of our review, could be improved to effectively automate the key privacy impact assessment processes.”
Read the full report.