The IRS’s privacy impact assessment (PIA) process examines the risks and ramifications of using IT to collect, maintain, and disseminate information in identifiable form about members of the public and agency employees, but it has not established effective processes to ensure that PIAs are completed timely, updated, and made publicly available and that privacy policies are posted on public websites for all required systems and collections of information, the Treasury Inspector General for Tax Administration has said.
It said that in December 2011, the IRS implemented a PIA management system to automate the process of completing PIAs in a more efficient and less time-consuming way. However, several key processes were not effectively automated, TIGTA found. It said for example that privacy analysts must view numerous individual screens rather than scrolling through the information seamlessly, responses in the system are not grouped by topic or subject matter, and the automated e-mail notification function is not consistent.
Management agreed with recommendations to document and publicize the customer survey PIA completion process, establish a PIA inventory control process to identify and review systems every three years as required, automate the notification process to alert responsible officials when new or existing PIAs are required to be posted to the IRS public website, and ensure that current and complete standard operating procedures are established and maintained for all PIA processes.
