Security of IRS Taxpayer Information: Characteristics of Unauthorized Employee Access and Disclosure Cases

What the GAO found
Federal tax information consists of federal tax returns and return information and is covered by the confidentiality protections of the Internal Revenue Code. Return information may include information extracted from a return, including the names of dependents or the location of a business. A number of Internal Revenue Service (IRS) offices share responsibilities for monitoring policies and practices that protect federal tax information. IRS employees are responsible for accessing federal tax information only when necessary to perform their official duties. IRS employees also play a role in protecting the privacy and confidentiality of taxpayer information to which they have access.
If IRS employees access tax information that (1) is not part of their assigned duties, or (2) is otherwise prohibited, then such access is not authorized. Unauthorized access may be considered unintentional or deliberate. UNAX is the deliberate unauthorized access, attempt to access, or inspection of tax returns or return information. Similarly, disclosures of tax information that are not authorized may be considered inadvertent or deliberate.
The Treasury Inspector General for Tax Administration (TIGTA) investigates alleged cases of UNAX or unauthorized disclosure to determine if the incident can be justified. TIGTA becomes aware of UNAX and unauthorized disclosure incidents when someone reports an incident or through its own analysis of IRS reports, both of which can come from a number of sources. If TIGTA determines that there is sufficient evidence to suggest that an UNAX violation or unauthorized disclosure has occurred, it refers the matter to the Department of Justice to determine whether it wishes to prosecute. TIGTA also provides the IRS with information gathered during its investigation. IRS employees are subject to criminal penalties for UNAX and unauthorized disclosure violations, including jail time or fines.
The IRS investigates and, if appropriate, determines the penalty for IRS employees who have committed violations of UNAX and unauthorized disclosure. For cases that the IRS determines warrant disciplinary action, the employee’s management team determines the appropriate sanctions. IRS policy generally requires that the employee’s removal from the IRS be offered for all UNAX violations. IRS policy also states that deletion is an appropriate penalty for willful unauthorized disclosure violations.
About a quarter of the cases investigated during the GAO’s review period were ultimately confirmed. Between fiscal years 2012 and 2021, the IRS completed 1,694 investigations of employee discipline cases that included a UNAX issue. More than half of the UNAX cases came from the IRS’ payroll and investment division. About 30% of cases came from the Small Business/Self-Employed Division. Of the 1,694 UNAX cases, 12% (204) also included an unauthorized disclosure issue. The IRS justified 27% of the 1,694 UNAX cases as violations and about 24% of the 204 cases as unauthorized disclosure. Over the past 10 fiscal years, it has taken TIGTA and the IRS, on average, a combined 464 days to investigate and close UNAX cases.
The majority of UNAX violations and unauthorized disclosures in fiscal years 2012-2021 were committed by non-executive employees. Officials accounted for less than 10% of UNAX and less than 15% of unauthorized disclosure violations. During this same period, permanent full-time employees committed most UNAX violations and unauthorized disclosures.
More than 82% of UNAX violations resulted in the suspension, resignation or dismissal of the offending employee. In all cases where the IRS found employees committed both UNAX violations and unauthorized disclosures, the offending employee was also suspended, resigned, or fired.
Why GAO Did This Study
The US tax system is based on voluntary compliance. One factor that can influence an individual’s willingness to voluntarily comply with the tax system is trust that the IRS is protecting their personal and financial information.
The GAO was asked to describe IRS processes for safeguarding federal tax information and what is known about UNAX cases and the unauthorized disclosure of federal tax information by IRS employees.
GAO analyzed IRS data, reviewed IRS and TIGTA documentation, and interviewed IRS and TIGTA officials for this analysis.
For more information, contact Jessica Lucas-Judy at (202) 512-6806 or LucasJudyJ@gao.gov or Jennifer Franks at (404) 679-1831 or FranksJ@gao.gov.