5101:9-9-25 Federal tax information safeguarding procedures.

(A) Federal tax information (FTI): definition, usage limitations and notification, and non-disclosure.

(1) FTI is any return or return information received from the internal revenue service (IRS) or secondary source, such as the social security administration (SSA), federal office of child support enforcement, or U.S. department of the treasury - bureau of the fiscal service, and also includes any information created and/or maintained by the Ohio department of job and family services (ODJFS) or a county agency that is derived from these sources.

(2) FTI is provided to federal, state, and local agencies by the IRS or the SSA for use in the cash assistance, food assistance, unemployment compensation, and child support programs as authorized by the Internal Revenue Code, and is provided solely for the purpose of performing the responsibilities of each program.

(3) 26 U.S.C. 6103 (section 6103 of the Internal Revenue Code) limits the usage of FTI to only those purposes explicitly defined. The IRS office of safeguards requires advance notification (at least forty-five days) prior to implementing certain operations or technological capabilities that require additional uses of the FTI, such as:

(a) Contractor access;

(b) Cloud computing;

(c) Consolidated data center;

(d) Data warehouse processing;

(e) Non-agency-owned information systems;

(f) Tax modeling;

(g) Test environment; and

(h) Virtualization of IT systems.

(4) Disclosure of FTI to any contractor is not permitted unless the agency notifies the IRS office of safeguards, in writing, per the IRS forty-five day notification reporting requirements and obtains approval prior to re-disclosing FTI to a specifically noted contractor.

(5) FTI associated with the treasury offset program (TOP) may not be disclosed to any contractor for any purpose, except for limited child support enforcement purposes, as specified in IRS publication 1075.

(B) Confidential personal information (CPI) is defined in section 1347.15 of the Revised Code, and does include FTI, but FTI must meet additional safeguards as outlined by the IRS.

(C) Safeguarding procedures and controls ensure the confidential relationship between the taxpayer and the IRS. Safeguarding procedures and controls are derived from IRS publication 1075, "Tax Information Security Guidelines for Federal, State, and Local Agencies" prepared and updated by the IRS.

(D) The IRS conducts on-site safeguard reviews of ODJFS safeguard controls, at a minimum once every three years, which includes an evaluation of the use of FTI and the measures employed by the receiving agency to protect the data. An independent internal inspection of specific offices within ODJFS is required every eighteen months. In addition, periodic independent internal inspections of all local offices must be conducted to ascertain if the safeguarding controls that are in place meet the requirements of IRS publication 1075. Offices to be inspected include, but are not limited to those referenced in paragraph (A)(2) of this rule. Periodic inspections conducted by program offices of local offices occur every three years. A record will be made of each inspection, citing the findings (deficiencies) as well as recommendations and corrective actions to be implemented where appropriate.

(E) All program offices and their respective local agencies must ensure procedures are implemented governing the safeguarding of FTI as defined by IRS publication 1075. Procedures must be updated to reflect any significant program changes.

(F) Per section 6103 of the Internal Revenue Code, all agencies receiving FTI are required to provide a disclosure awareness training program for their employees and contractors. Disclosure awareness training is described in detail within IRS publication 1075. Employees and contractors must maintain their authorization to access FTI through annual training and recertification. Prior to granting an agency employee or contractor access to FTI, each employee or contractor must certify his or her understanding of the IRS's and the agency's security policy and procedures for safeguarding IRS information. Employees must be advised of the provisions of sections 7431, 7213, and 7213A of the Internal Revenue Code regarding the "Sanctions for Unauthorized Disclosure" and the "Civil Damages for Unauthorized Disclosure." Agencies must also comply with the requirements of rule 5101:9-9-25.1 of the Administrative Code.

(G) Additional FTI safeguarding procedures.

(1) FTI must be maintained separately from other information to the maximum extent possible to avoid inadvertent disclosures and to comply with the federal safeguards required by paragraph (p)(4) of section 6103 of the Internal Revenue Code. Agencies with FTI must also comply with all other requirements of paragraph (p)(4) of section 6103 of the Internal Revenue Code.

(2) All information obtained from the IRS must be safeguarded in accordance with the safeguarding requirements of paragraph (p)(4) of section 6103 of the Internal Revenue Code, as described in IRS publication 1075.

(H) Prohibition against public disclosure of safeguards reports and related communications.

(1) ) Safeguards reports and related communications, such as IRS official agency records that are the property of the IRS, and IRS records that are subject to disclosure restrictions under federal law and IRS rules and regulations, may not be released publicly under state sunshine or information sharing/open records provisions. Release of any IRS safeguards document requires the express permission of the IRS. Requests received through sunshine and/or information sharing/open records provisions must be referred to the federal Freedom of Information Act (FOIA) statute for processing. State and local agencies receiving such requests should refer the requestor to the instructions to file a FOIA request with the IRS. Additional guidance may be found at: http://www.irs.gov/uac/IRS-Freedom-of- Information and questions should be referred to the safeguards mailbox at Safeguardreports@irs.gov.

(2) If it is determined that it is necessary to share safeguarded IRS documents and related communications with another governmental function/branch for the purposes of operational accountability or to further facilitate protection of federal tax information, the recipient governmental function/branch must be made aware, in unambiguous terms, that the documents and related communications:

(a) Are the property of the IRS;

(b) Constitute IRS official agency records; and

(c) Are subject to disclosure restrictions under federal law and IRS rules and regulations.

Replaces: 5101:9-9-25

Effective: 5/1/2016
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 329.04, 5101.03
Prior Effective Dates: 5/1/93, 9/27/93, 6/26/95, 2/15/96, 11/1/96, 10/4/02, 5/23/03