Review of Tax Processing System Planning for the Internal Revenue Service - A Report to the Internal Revenue Service Department of the Treasury

About this PDF file: This new digital representation of the original work has been recomposed from XML files created fr...

Author: Committee on Internal Revenue Service Tax Processing System Planning | Board on Telecommunications-Computer Applications | Assembly of Engineering & National Research Council

10 downloads 584 Views 1MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

About this PDF file: This new digital representation of the original work has been recomposed from XML files created from the original paper book, not from the original typesetting files. Page breaks are true to the original; line lengths, word breaks, heading styles, and other typesetting-specific formatting, however, cannot be retained, and some typographic errors may have been accidentally inserted. Please use the print version of this publication as the authoritative version for attribution.

i

Review of Tax Processing System Planning for the Internal Revenue Service A Report to the Internal Revenue Service Department of the Treasury

by the Committee on Internal Revenue Service Tax Processing System Planning Board on Telecommunications-Computer Applications Assembly of Engineering National Research Council

NATIONAL ACADEMY PRESS Washington, D.C. 1980


ii

NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the Councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the Committee responsible for the report were chosen for their special competences and with regard to appropriate balance. This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The National Research Council was established by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and of advising the federal government. The Council operates in accordance with general policies determined by the National Academy under the authority of its congressional charter of 1863, which establishes the Academy as a private, nonprofit, self-governing membership corporation. The Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in the conduct of their services to the government, the public, and the scientific and engineering communities. It is administered jointly by both Academies and the Institute of Medicine. The National Academy of Engineering and the Institute of Medicine were established in 1964 and 1970, respectively, under the Charter of the National Academy of Sciences. This report represents work under Contract TIR-79–35 between the National Academy of Sciences and the Internal Revenue Service. Copies of this publication are available from: National Technical Information Service Department of Commerce 5825 Port Royal Road Springfield, Virginia 22161 Printed in the United States of America


FOREWORD

iii

FOREWORD

Service on a National Research Council committee is a part-time endeavor for its members, who meet only perhaps six or eight times during a one-year study. Nonetheless, such a committee can develop deep insights into a situation and learn an enormous amount about an organization. In this study, the Committee read a considerable volume of material; it talked individually and collectively with many people; and it visited appropriate field sites. Moreover, each member is skilled and has long experience in his subject area. Some members, for example, have direct personal experience with a major computer system replacement, have watched one take place, or have audited an unsuccessful one. Each member has served previously on a review activity of this kind and thus has developed a keen sensitivity to not only what has been said but also what has not been said. Each has developed an ability to recognize danger signals that lie unnoticed behind plans, in oral presentations, or in documents. Thus, many of our findings reflect personal experience, management insights, and judgments rather than hard data. The issues involved in our examination have not been simply technological or scientific; rather, they have had substantial subjective components. Furthermore, our view of the Internal Revenue Service can not be comprehensive. However, when the presentations, field visits, discussions, and written material are played against our collective experience and professional skills, the judgments reached are sound, and reflect the composite wisdom of a group which traveled and met together, and interacted extensively both internally and with Internal Revenue Service officials. Authorship of a report is always a joint effort. Initial drafts of chapters II and III were provided by the respective panels with assistance from the Technology Panel. The introductory material and Appendix B were drafted by National Research Council staff officer E.R.Lannon, who not only handled all administrative details but also, because of his prior experience with many government agencies, contributed to the substantive work of the Committee. Appendix A was written by Francine Schulberg of Sutherland, Asbill & Brennan. The final document reflects the views and detailed comments of the entire Committee. The chairman of an effort like this inevitably imposes an extra burden on his own personal secretary. It is a pleasure to acknowledge the support of Delores Stimbert, who skillfully handled what must have seemed an endless stream of writing, rewriting, editing, and travel arrangements. I wish also to thank Kay McKenzie, word processing specialist, and Janet DeLand, editor and photo-compositor. Willis H.Ware Chairman


FOREWORD iv


FOREWORD

v

COMMITTEE ON IRS TAX PROCESSING SYSTEM PLANNING Willis H.Ware (Chairman), Corporate Research Staff, The Rand Corporation Wilbur B.Davenport, Jr. (Deputy Chairman), Professor of Communications Science & Engineering, Massachusetts Institute of Technology Frank L.Allen, Vice President, Information Systems, Arthur D.Little, Inc. Lee L.Davenport,* Vice President-Chief Scientist, General Telephone & Electronics Corp. Jean H.Felker, Vice President, Software and Processor Technologies, Bell Laboratories John A.Gosden, Vice President, Telecommunications, Equitable Life Assurance Society Francis M.Gregory, Jr., Partner,Sutherland, Asbill & Brennan Susan Hubbell Nycum, Gaston Snow & Ely Bartlett Louis T.Rader,** Professor of Business Administration, University of Virginia Jack B.Robbins, Major General, U.S. Air Force (Retired) William W.Shine, Senior Vice President, Chase Manhattan Bank, N.A. Sheila M.Smythe, Executive Vice President, Blue Cross and Blue Shield of Greater New York Staff: Edwin R.Lannon, Study Director Linda Jones, Administrative Secretary *Ex-officio as Deputy Chairman, Board on Telecommunications-Computer Applications, July 1979-June 1980. **Ex-officio as Chairman, Board on Telecommunications-Computer Applications, July 1979–June 1981.


FOREWORD vi

PRIVACY-SECURITY-CONFIDENTIALITY PANEL

Willis H.Ware Susan H.Nycum Sheila M.Smythe Francis M.Gregory, Jr.

TRANSITION PANEL

John A.Gosden Jack B.Robbins Frank L.Allen

TECHNOLOGY PANEL

Wilbur B.Davenport, Jr. William W.Shine Jean H.Felker


FOREWORD

vii

BOARD ON TELECOMMUNICATIONS-COMPUTER APPLICATIONS Louis T.Rader (Chairman), Professor of Business Administration, University of Virginia J.C.R.Licklider (Deputy Chairman), Professor of Electrical Engineering and Computer Sciences, Massachusetts Institute of Technology Frank L.Allen, Vice President, Information Systems, Arthur D.Little, Inc. Ted E.Climis, Vice President, General Products Division, IBM Corporation Martin Cooper, Vice President-General Manager, Motorola, Inc. Irwin Dorros, Assistant Vice President, American Telephone & Telegraph Co. Robert R.Everett, President, The MITRE Corporation John C.Hancock, Dean of Engineering, Purdue University Brockway McMillan, Vice President-Military Systems (Retired), Bell Laboratories Robert D.Maurer, Manager, Special Projects, Corning Glass Works, Research & Development Laboratories Glen O.Robinson, Professor of Law, University of Virginia Joseph E.Rowe, Vice President—Technology, Harris Corporation Willis H.Ware, Corporate Research Staff, The Rand Corporation Staff: R.V.Mrozinski, Executive Director E.R.Lannon, Principal Staff Officer P.R.Nuhn, Principal Staff Officer E.Gaspard-Michel, Administrative Assistant Linda Jones, Administrative Secretary


FOREWORD viii


PREFACE

ix

PREFACE

This is a report basically about a technical matter, namely that of replacing the existing hardware-software configuration of the IRS computer-based recordkeeping system with an improved and more capable one. The usual tasks typical of such a computer system upgrade, including hardware selection, database conversion, rewriting software, planning the conversion, and managing the whole effort, will have to be performed. The IRS circumstance, however, is unique in that the record system in question deals with a body of information about people which by law is confidential, must therefore be appropriately protected, and can be disclosed only under carefully prescribed circumstances. In addition, strong sensitivities about tax information on the parts of the citizenry at large, of various oversight committees and members of Congress, and of other agencies of the Executive branch have combined to foreclose certain technical options that might otherwise be available. As perceived by various parties, the consequences of such advanced technology have been seen as undesirable. Thus, in this report technology per se is not a dominant issue although computer hardware and software issues are commonly considered technical matters. Many technical questions normally considered in connection with computer system upgrades are not relevant. Usually, the design and configuration of a computer-based system represent an engineering compromise in that the end product reflects a considered balance of many technical factors that are not always consonant and are sometimes in conflict. In the case of the IRS, however, the end product must in contrast reflect a socio-engineering compromise because of the social and political sensitivities associated with tax administration in general, and especially with the use and disclosure of tax information. The reader should, therefore, not expect discussion of many technical topics that would ordinarily be included in a treatment of computer-system conversions. Rather, he should be alert to the societal and cultural implications of a unique and essential recordkeeping system that is the object of much concern lest it become an instrument of government oppression. The Committee reviewed IRS plans for updating the computing equipment now used for tax administration and for moving from computer assembly language programming to the higher level programming language COBOL. The IRS provided substantial material describing its planning, including a major document entitled, Èquipment Replacement Program Management Plan,” issued in September 1979 by the Assistant Commissioner (Data Services). The IRS plan envisioned a three-phase program that would begin in January of 1980 and end in January 1987. It covered (1) the replacement of computing equipment now used in its ten Service Centers (to begin in January of 1980 and be completed in January 1985); (2) replacement of computing equipment in its National Computer Center (to begin in September 1983 and be completed in September 1986); and (3) replacement of the microfilm system for historical records, now in use at all operational levels of the IRS (to begin in September 1983 and be completed in January 1987). The IRS requested that the National Research Council conduct a one year assessment of its plan for the transition from old equipment to new equipment, with


PREFACE

x

particular emphasis on security and privacy considerations. The National Research Council assigned responsibility for the effort to its Board on Telecommunications-Computer Applications, which organized the Committee on IRS Tax Processing System Planning for the purpose. The Committee, which began work in October of 1979, included people with broad knowledge of computer security and privacy, large scale project management, and computer technology, including both hardware and software. The Committee also included people from academic, industrial, legal, and nonprofit institutions; equipment manufacturers were intentionally not represented. Throughout its review, the Committee enjoyed complete cooperation from the Internal Revenue Service. Site visits were made to a Service Center and the National Computer Center. Several meetings held with IRS officials in Washington both supplemented and complemented written materials provided at IRS initiative or at the request of the Committee. The Committee did not involve itself in the actual IRS planning and made no judgments on the efficiency or effectiveness of the equipment and overall system now in use. Very importantly, the Committee also accepted as given certain constraints which had been negotiated with the Office of Management and Budget on redesign of the present system, parts of which have been in operation since 1962. Furthermore, expressions of concern by Congress further limited the opportunity to exploit the newest technological ideas. Absent such restrictions, it is quite probable that a different IRS plan would have been developed, and that this report would have discussed various technical and system architectural options. In fact, the Committee limited its review to the planning as it had actually been done. Chapter I consists of introductory material describing the Internal Revenue Service and its perceptions of the problems inherent in its current mode of operations. The security and privacy issues relevant to the equipment replacement program are discussed in Chapter II. Chapter III treats the management of the large scale transition involved. Appendix A contains background material on the legislative and legal aspects of privacy and confidentiality; Appendix B details the briefings provided to the Committee and the documents it reviewed. The Committee is most appreciative of the open and frank discussions it had with officials of the Internal Revenue Service, in particular with Jerome Kurtz, the Commissioner of Internal Revenue; Deputy Commissioner William E.Williams; Assistant Commissioner (Data Services) Donald J.Porter; Deputy Assistant Commissioner (Data Services) Joseph E.Bishop; Director (Systems Development Office) Dean E.Morrow; and Deputy Director (Systems Development Office) Bernard Miller. The support and cooperation of these individuals was essential to the work of the Committee. The Committee also appreciates the support of R.V.Mrozinski, Executive Director of the Board on Telecommunications-Computer Applications; E.R.Lannon, Study Director; and Mrs. Linda Jones, who provided secretarial support.


OVERVIEW

xi

OVERVIEW

The Internal Revenue Service is basically an operational agency charged with administering tax law; therefore, it behaves as such on a daily basis and operates its computer systems on a factory-like production schedule. As happens to other federal agencies from time to time, the IRS now finds itself in the system acquisition business as it upgrades the computer equipment supporting various recordkeeping functions. Even though the IRS has been involved continuously in computer software modification and improvement, it has not undertaken a large engineering development task since the equipment now in the 10 Service Centers was installed in the late 1960s and early 1970s. While the plan is basically to replace equipment, unavoidably a certain amount of software change will also have to be done; together, the two constitute a substantial undertaking. Much of the discussion in Chapter III comments on certain IRS decisions (e.g., choice of the programming language COBOL). Many recommendations in the chapter are directed to management of the large effort planned, and especially to strengthening the role of the IRS internal Systems Development Office by enlarging its size and giving it control over funds. Other recommendations speak to essential aspects of planning, and to the detailed process of cutting over from the present system to the new one. In the IRS discussion of its Equipment Replacement Program with various external oversight committees of Congress and with the Office of Management and Budget, security and privacy have been special concerns. In the context of the Privacy Act of 1974, the IRS is required among other things to take reasonable precautions to safeguard the information it holds, i.e., to provide computer security safeguards. Importantly, the Act also stipulates careful control of dissemination, a point which the Tax Reform Act of 1976 also addresses by explicitly defining recipients who may receive tax information. In addition, the latter Act also establishes tax information as confidential in the legal context. The Committee found security at the Atlanta Service Center and at the National Computer Center at Martinsburg to be very good in terms of physical arrangements, employee training and awareness, procedures, and administrative controls. The software security safeguards in the Service Center machines are consistent with the state-of-art extant at the time of implementation, but also reflect upgrades as the art has advanced. The Committee also finds that the IRS has responded properly to the Privacy Act of 1974. Nonetheless, new threats against the tax information in the IRS computer-based recordkeeping systems will continue to develop. Therefore, the recommendations of Chapter II are directed toward ensuring that, in the recordkeeping context ensuing from the coming Equipment Replacement Program, the IRS will have computer security safeguards that are the best possible and that reflect the leading edge of the art. The recommendations also stress that all available resources should be exploited to help design the safeguards, including the Internal Audit Division of the IRS, the experience and research base of the Department of Defense outside of the IRS but within government, and appropriate private consultants who specialize in the area. The conclusions, findings, and recommendations follow.


OVERVIEW

xii

CHAPTER II: PRIVACY, SECURITY, AND CONFIDENTIALITY The Committee concludes that the existing legislative framework is an adequate foundation for protecting privacy and ensuring confidentiality, provided there is intelligent and good faith administration and interpretation of the law. The Committee concludes that the IRS must proceed slowly with its planning for computer-based systems and pace its expectations to the willingness of the country and its leadership to accept increasingly comprehensive tax administration recordkeeping systems. The Committee finds that the IRS is properly fulfilling the obligation imposed on it by the Privacy Act of 1974. With regard to the physical protection plus administrative and personnel aspects, the Committee finds that the security situation at the Atlanta and Martinsburg sites, which it visited, is very good. The Committee recommends that the IRS conduct a thorough audit of all security features that safeguard its computer systems, its data and files, its personnel, and its facilities. Since the Department of Defense has experience in both attempting to penetrate computer operating systems and developing methods for increasing the security of computer operating systems, the Committee recommends that the IRS seek its assistance in the computer security area. We recommend that the IRS carefully monitor computer security research efforts and exploit any results that can strengthen the in-place safeguards. The Committee therefore recommends that the IRS create, as part of its overall planning for transition from the existing computer environment to its new one, a specific plan for heightening security awareness and overseeing the special security aspects of transition. The Committee recommends that technical procedures and administrative means for controlling access to the National Computer Center computers, not only for program development runs but also for access to real data, be thoroughly reviewed for completeness, for possible loopholes, and for other shortcomings. The Committee recommends that relevant expertise from inside as well as outside the IRS be used to ensure that the software security controls and audit trails will be consistent with the best state-of-the-art. The Committee recommends that the IRS review both at the National Computer Center and at the Service Centers the number of personnel positions identified as `critical sensitive.” The Committee suggests that the Internal Audit Division now contains specialized skills that can be exploited during source selection considerations and also exploited for conceptualizing software security controls and audit trails. The Committee recommends that the Commissioner of the Internal Revenue Service invite the General Accounting Office to provide such an independent assessment of the capability of the Internal Audit Division. CHAPTER III: TRANSITION The Committee recommends that the existing general structure of programs and files not be altered to change the processing flow, the functions provided, or the overall system architecture.


OVERVIEW

xiii

Therefore, to maintain control and visibility, we strongly recommend that the Systems Development Office have sufficient staff and be organized so as to review the decisions and tradeoffs made at all management levels on the project. The Committee recommends that specific detailed plans be prepared for the cut-over phase, including acceptance criteria, and that prior preparations be made for emergency back-up actions. We recommend that the test-and-evaluation program contain precisely defined criteria for cut-over qualifications. We therefore recommend that the staff of the Systems Development Office be approximately doubled from the planned fifteen; that the Systems Development Office obtain expert advice on the adequacy of its project management system at the earliest date; and that representatives of the Systems Development Office routinely attend planning and design review meetings where program issues are discussed and decided, to develop their own sense of the information being provided by various task teams and also to maintain the automated project control system. The Committee recommends that the IRS require close and careful control of project funds by the Systems Development Office. The Committee strongly recommends that the IRS hold separate all project funds. It further recommends that the Director of the Systems Development Office be given budget assignment and control authority for project funds. The Committee recommends that the Systems Development Office maintain and periodically review its master plan and the necessary project reporting procedures to ensure a steady flow of management information. The Committee recommends that contingency plans be developed for the circumstances most likely to raise difficulty with the project system performance, schedule, or cost. The Committee recommends that the IRS evaluate the desirability of contracting with a firm that is expert in test-and-evaluation operations, either to undertake the actual test-and-evaluation or to ensure the adequacy of the test-and-evaluation procedures developed by the IRS. The Committee recommends that a project documentation tree be specified by the Systems Development Office. The documentation tree should name all required specifications, test documents, manuals, handbooks, and reports. We recommend that the IRS staff continue to study the response time issue and estimate by mathematical analysis, simulation, or test the likely effects on the performance of the computer system. The Committee recommends that the IRS investigate the availability of a program translator to aid in the conversion of programs from assembly language to a higher level language.


OVERVIEW xiv


CONTENTS

xv

CONTENTS

CHAPTER I:

CHAPTER II:

FOREWORD

iii

PREFACE

ix

OVERVIEW

xi

THE INTERNAL REVENUE SERVICE Background Organization Data Processing Equipment Operating Statistics The Problem

1 1 1 2 3 3

PRIVACY SECURITY, AND CONFIDENTIALITY Terminology Pertinent Law Privacy Protection Study Commission Position Classical Privacy vs. Information Usage The Balance Point Committee Inputs Privacy Computer Security Security During Conversion Personnel Threat The Role of Internal Audit Technology and the Future

6 6 7 8 10 12 15 15 16 18 19 20 22

CHAPTER III:

TRANSITION Introduction Strategy of Transition Organization, Management, and Resources The National Computer Center

23 23 25 29 39

APPENDIX A:

LEGISLATIVE OVERVIEW The Privacy Act of 1974 The Tax Reform Act of 1976 The Freedom of Information Act Court Resolution of Conflicts and Overlaps in the Statutory Authority

41 41 42 44 45

APPENDIX B:

BRIEFINGS AND DOCUMENTS PROVIDED TO THE COMMITTEE Briefings Documents Reviewed

48 48 48


CONTENTS xvi


THE INTERNAL REVENUE SERVICE

1

Chapter I THE INTERNAL REVENUE SERVICE

BACKGROUND The office of the Commissioner of Internal Revenue was created by law on July 1, 1862,1 and the Service, as it is known, functions as an operating arm of the Department of the Treasury. As such, it is responsible to the Secretary of the Treasury, who must approve various management decisions. For example, decisions about computer equipment and data processing systems involve the Office of Computer Science, Office of the Secretary. Basic IRS activities include taxpayer service and education; determination, assessment, and collection of internal revenue taxes; determination of pension plan qualifications and exempt organization status; and preparation and issuance of rulings and regulations to supplement the provisions of the Internal Revenue Code. The sources of most revenues collected are the individual income tax and the social insurance and retirement taxes; other major sources are the corporate income, excise, estate, and gift taxes. The Internal Revenue Service, with 71,771 full time permanent employees in fiscal year 1979, is more than half the size of its parent, the Department of the Treasury. It is larger than all cabinet departments and independent agencies except the Departments of Defense, Health and Human Services, Agriculture, and Transportation; the U.S. Postal Service; and the Veterans Administration. ORGANIZATION The IRS has three organizational levels: the National Office, Regional Offices, and District Offices and Service Centers. Districts may have local offices, the numbers and locations of which are determined by taxpayer and agency needs. The National Office The National Office, in Washington, D.C., develops nationwide policies and programs for administering the internal revenue laws and provides overall direction to the field organization. To assist the Commissioner of Internal Revenue there are a Deputy Commissioner and eight Assistant Commissioners, each in charge of a functional area: Resource Management; Taxpayer Service and Returns Processing; Compliance; Data Services; Employee Plans and Exempt Organizations; Inspection; Planning and Research; and Technical. Legal services are provided by the IRS Chief Counsel, who is as well an Assistant General Counsel of the Treasury Department; there is also an Assistant to the Commissioner for Public Affairs. The National Computer Center, in Martinsburg, West Virginia, and the Data Center, in Detroit, Michigan, are assigned to the National Office.

112

Stat. 432; 26 U.S.C. 3900.



2

Field Organization As a largely decentralized organization, the IRS assigns most of its personnel and activities to field installations. Regional Offices: The seven Regional Offices supervise and evaluate the operations of District Offices and Service Centers. Each is headed by a Regional Commissioner, who is assisted by six Assistant Regional Commissioners. There is also an appeals activity, headed by a Regional Director, to hear disputes from taxpayers. Located in Regional Offices, but not supervised by the Regional Commissioner, are the Regional Counsels, who report to the IRS Chief Counsel, and the Regional Inspectors, who report to the Assistant Commissioner (Inspection) in the National Office. District Offices: Each of the 58 District Offices is administered by a District Director. Depending on population, a district may encompass an entire state or a number of counties within a state. District Office responsibilities include taxpayer service, examination, collection, criminal investigation, resources management; and, in some offices, pension plans approval and review of exempt organizations. Each director is responsible for the deposit of taxes received in the district and for initial processing of tax returns received. Local offices may be established to meet special taxpayer needs or to accommodate IRS workload requirements. Service Centers: The 10 Service Centers, under the supervision of the Regional Commissioners, are in Austin, Texas; Chamblee, Georgia; Covington, Kentucky; Kansas City, Missouri; Andover, Massachusetts; Ogden, Utah; Fresno, California; Memphis, Tennessee; Brookhaven, New York; and Philadelphia, Pennsylvania. Each receives and processes tax returns and related documents and maintains accountability records for taxes collected. Responsibilities include the processing, verification, and accounting control of tax returns; the assessment and certification of tax refunds; and the administration of assigned examination, criminal investigation, and collection functions. DATA PROCESSING EQUIPMENT As of June 30, 1980, data processing equipment supporting tax administration systems included the following complement of computers. Service Centers 11 CDC 3500 computers 12 HIS 2050A computers 11 Univac 90/30 computers 10 H 200 computers National Computer Center 1 IBM 370–168 computer 1 Itel AS-6 computer 1 IBM 370–165 computer 6 IBM 360–65 computers



3

OPERATING STATISTICS Table 1, taken from the Annual Report of the Internal Revenue Service for fiscal year 1979, shows pertinent operating statistics for the Service. THE PROBLEM Over the years, the IRS has had good reason for satisfaction with the present system's performance and adaptability to changing tax law. This is true not only of its overall architecture, with the Service Centers and a National Computer Center, but also of the various computer-based data systems. In some years legislatively mandated modifications have been made on extremely short notice, and periodic equipment upgrades have kept pace with a workload that sometimes has grown at an unanticipated pace. The system's ready accommodation to change is the result of good short-range few-year planning and implementation, rather than of a comprehensive long-range multi-year plan. IRS had devoted considerable thought and energy to long-range planning over a decade or so; the outcome was the proposed Tax Administration System (TAS) of 1976. Regrettably, it was considered too ambitious, was delayed repeatedly, and was finally disapproved. During TAS planning, the existing system in its entirety was treated as the mediumrange interim component; TAS itself was the long range portion. It is no surprise that existing systems have gradually developed serious deficiencies and limitations for the long run. The IRS has described these deficiencies as follows: • Ìnsufficient capacity is the most urgent problem. Long-range projections show that the Integrated Data Retrieval System at the Service Centers will reach saturation in larger centers by the mid-1980's. This will happen despite severe management restrictions on the development of new IRS applications for it. Action now is needed to provide a replacement system which can be installed in time to accommodate the workloads into the 1990's. • Òutmoded technology is inherent in installed equipment; maintainability is gradually becoming a problem. New equipment has advanced significantly in such areas as power consumption, miniaturization, software operating systems, and price-performance. • Ìnefficient design of the operational but old software has inevitably resulted from repeated piecemeal additions to it. • Àssembly-level programming language is used predominantly on all present systems. This fact plus the extensive patching makes on-going life-cycle support inefficient and sometimes awkward and timeconsuming. The programs need to be recast in a structured overall design and implemented in an appropriate contemporary high-order programming language. • `The cost of microfilm research is higher than it should be. Current stateof-the-art technology can significantly reduce the cost of researching tax accounts by eliminating some of the manual labor IRS is currently performing.”


THE INTERNAL REVENUE SERVICE 4



5

The Equipment Replacement Program is the long-range plan for dealing with such shortfalls.2 The IRS will acquire state-of-the-art hardware and software projected to handle workload growth throughout the system's life. To accommodate future growth that at best can be only estimated and to provide a ready capability to implement unforeseeable changes in tax law and administration, families of upward compatible computers will be chosen, and software will be structured in modular form.

2Èquipment Replacement Program Management Plan.” Internal Revenue Service, Assistant Commissioner (Data Services), September 1979.


PRIVACY, SECURITY, AND CONFIDENTIALITY

6

Chapter II PRIVACY, SECURITY, AND CONFIDENTIALITY

TERMINOLOGY In a discussion of privacy, security, and confidentiality, a few terms need to be distinguished with precision. First are those related to tax matters. Until the Tax Reform Act of 1976, tax returns were public records but generally open to inspection only under executive orders or regulations promulgated by the Internal Revenue Service. Furthermore, prior law provided a number of specific situations in which tax returns could be disclosed, and appropriate definitions were contained in regulations rather than in law. The 1976 Act stipulates that `Returns and return information shall be confidential, and except as authorized by this title (1) no officer or employee of the United States, (2) no officer or employee of any State or of any local child support enforcement agency who has or had access to returns or return information under this section, and (3) no other person (or officer or employee thereof) who has or had access to returns or return information…, shall disclose any return or return information obtained by him in any manner in connection with his service as such an officer or an employee or otherwise or under the provisions of this section. For purposes of this subsection, the term òfficer or employee' includes a former officer or employee.”1

In addition, the Act defines a number of crucial terms including return, return information, taxpayer identity, and disclosure. In the language of the Act, the term return means àny tax or information return, declaration of estimated tax, or claim for refund required by, or provided for or permitted under, the provisions of [this] title which is filed with the Secretary on behalf of, or with respect to any person, and any amendment or supplement thereto, including supporting schedules, attachments, or lists which are supplemental to, or part of, the return so filed.” The term return information includes a `wide variety of things, among them a taxpayer's identity, the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld …, whether the taxpayer's return was, is being, or will be examined…, or any other data, received by, recorded by, prepared by, furnished to, or collected by the Secretary with respect to a return.” Significantly, however, the Act provides that `Datain a form which cannot be associated with, or otherwise identified, directly or indirectly, [with] a particular taxpayer” is not considered return information, and therefore is not regarded as confidential. The phrase taxpayer return information refers to return information that is `filedwith, or furnished to, the Secretary by or on behalf of the taxpayer to whom such return information relates.” Taxpayer identity includes the `nameof a person with respect to whom a return is filed, his

1The Tax Reform Act of 1976 (Public Law 94–455) was signed by the President on October 4, 1976. The relevant portion of the Act is Section 1202, which subsequently became Section 6103 of the Internal Revenue Code. The discussion given here is based in part on the language of the Act, Title 12 Section 1202; and in part on the discussion in `Summary of the Tax Reform Act of 1976,” pp. 52–53, a document prepared by the Staff of the Joint Committee on Taxation, October 4, 1976.



7

mailing address, [and] his taxpayer identification number”—either an individual's Social Security account number or a tax account number issued especially for IRS's purpose. Finally, the term disclosure means `making known to any person in any manner whatever a return or return information.” In subsequent subsections, the Act provides explicitly to whom and under what circumstances tax information may be disclosed. Thus, as a result of the passage of the Tax Reform Act of 1976, the legal status, protection, and disclosure controls for tax returns and tax information are markedly improved. Confidentiality is a status accorded to information that indicates it is sensitive for some reason and therefore must be properly protected and controlled. In the computer system context, the simple term security or the more elaborate terms computer security or computer-system security refer to all the measures necessary to protect physically the hardware, software, data, personnel, and other facilities associated with the system, and to implement controls to ensure that information from the system is divulged only to authorized users. Thus, computer security is largely a technical matter of many dimensions, but it is overlaid with personnel, procedural, and administrative aspects. In contrast, the term privacy or the more elaborate ones recordkeeping privacy or personal privacy refer to an information-use issue relating in general to an involvement of the individual in certain aspects of recordkeeping. The Privacy Act of 1974 permits an individual access to his record to verify or challenge its contents in the expectation that such involvement will tend to ensure the accuracy of the record, and in turn the fairness of determinations made about an individual. Furthermore, the Act accords the citizen a modest level of control over recordkeeping in federal agencies by requiring that new recordkeeping systems, or new uses of old systems, be described in the Federal Register a prescribed period of time before implementation. To summarize, the confidentiality of tax information is in part ensured by computer-system security safeguards, which in turn permit the Internal Revenue Service to fulfill the obligation of such legislation as the Privacy Act of 1974 and the Tax Reform Act of 1976. Regrettably, the terms confidentiality, security, and privacy are not always used with precision. For example, an unauthorized disclosure of tax information would strictly be a breach of confidentiality, but unless such disclosure influenced a determination about an individual in an unfair way, it would not be a privacy infraction in the precise sense of the term. On the other hand, it would reveal personal information about an individual, which in a broad sense would be regarded as a breach of privacy. In the example, security safeguards might have been penetrated by some clever means; but on the other hand the improper disclosure might well have been an unauthorized action of some individual authorized to receive information from the system— something computer-system security safeguards cannot guard against. PERTINENT LAW In protecting, handling, and disclosing tax information, the Internal Revenue Service is governed by a variety of laws. In particular, the Privacy Act of 1974, the Tax Reform Act of 1976, and the Freedom of Information Act of 1968 are of direct



8

concern.2 In brief, the Privacy Act provides an individual access to his record in the interest of accuracy and fairness while at the same time stipulating certain recordkeeping requirements upon the Service. In contrast, the Tax Reform Act establishes the confidential status of tax information as well as specifying disclosure controls. Thus, a matter that previously was subject to administrative actions of an agency is now controlled by law and the oversight mechanisms of Congress. The Tax Reform Act has obviously improved matters significantly with regard to the protection and disclosure of tax information. The Freedom of Information Act affects recordkeeping activities in yet another way by providing that the public may be granted access to certain internal documents and records of an agency. The three items of legislation obviously overlap one another somewhat, and in some situations may conflict. Some conflicts have been adjudicated by court decisions. The Committee concludes that the existing legislative framework is an adequate foundation for protecting privacy and ensuring confidentiality, provided there is intelligent and good faith administration and interpretation of the law.

If subsequent events suggest that the present legislative framework contains ambiguities or that there has not been intelligent and good faith administration and interpretation of the current law, then such problems can be corrected by Congress at the time.3 PRIVACY PROTECTION STUDY COMMISSION POSITION The Privacy Protection Study Commission (PPSC) was created by Section 5 of the Privacy Act of 1974 and began work in July of 1975. It was a body created explicitly to examine the recordkeeping practices of organizations that handle data about people and/or make determinations about people on the basis of such records. It consisted of 7 appointed Commissioners supported by a staff averaging 25 in number. The Commission was directed by Congress to undertake a `study of the data banks, automatic data processing programs, and information systems of governmental, regional, and private organizations, in order to determine the standards and procedures in force for the protection of personal information.” Among other tasks it was asked to make such `legislative recommendations as the Commission deems necessary to protect the privacy of individuals while meeting the legitimate needs of government and society for information.” Section 5(c)(2)(B) (ii) of the Act required a report to the President and Congress as to `whether the Internal Revenue Service should be prohibited from transferring individually identifiable data to other Federal agencies and to agencies of State governments.”

2Appendix

A contains a brief summary and characterization of each law. Long v. IRS, 596 F.2d 362 (9th Cir. 1979), a federal appellate court recently suggested that the source material for the IRS Tax Compliance Measurement Program may be disclosable under the Freedom of Information Act. The source materials requested consist of information from individuals' tax returns, in the form of computer tapes and check sheets, but with all information identifying individual taxpayers deleted. The appellate court requested that the trial court determine whether the disclosure of the source materials would entail a `significant risk of indirect identification” and would, therefore, be exempt from Freedom of Information Act disclosure under the Internal Revenue Code. The Internal Revenue Service is concerned that this decision may have a negative effect on their ability to administer the tax laws and to maintain confidentiality of tax information. 3In



9

Because the Commission was aware of Congressional interest in tax reform, it promptly directed its significant resources and talents to tax information disclosure issues. It made specific recommendations to the Congress, which listened carefully. The Commission worked closely with the Internal Revenue Service and (then) IRS Commissioner Donald C.Alexander, and in June 1976 published an interim report entitled Federal Tax Return Confidentiality.4 In view of the concurrent examination of the issue by the Commission and work of Congressional groups, it is not surprising that the Tax Reform Act of 1976 closely parallels in most respects the position expressed in the Commission's interim report. It recommended `theenactment of a federal statute more stringent with respect to disclosures of records made by the IRS than either the Privacy Act of 1974 or the confidentiality provisions of the Internal Revenue Code then in force. The recommended statute would constitute the Service's sole authority to disclose its records about individuals to other federal agencies and to agencies of state government.”5 While there is some divergence between the Tax Reform Act of 1976 and the Commission position on such matters as the use of tax information in juror selection and the protection of information from third party sources, nonetheless `TheCommission believes that its 1976 recommendations for IRS disclosure policy can serve as an example of the kind of particularized disclosure statutes that Congress should enact for certain types of government records that deserve or require special confidentiality protections. The Commission also believes that the rationale for its 1976 IRS recommendations, which is articulated here and in an appendix volume on federal tax return confidentiality, exemplifies the kind of considerations that should be taken into account in enacting any federal confidentiality statute.”6 The Commission goes on to observe that while `The Congress, in enacting Section 1202 of the Tax Reform Act, did not reach the same conclusions as the Commission in every detail, the Commission approves without reservation the process by which the disclosure was formulated—enactment of a statute by the Congress with opportunities for public comment and participation in its deliberation.”7

Although not identical, the Commission's recommendations and the 1976 legislation are strikingly similar. The underlying principles of each of the four basic recommendations of the Commission form a cornerstone of the congressional enactment. Thus, the Commission and the Congress agreed that disclosure by the IRS of individually identifiable data should be permitted only when authorized specifically by legislation unless otherwise directed in writing by the individual involved, that information disclosed to federal agencies be disclosed for the limited use appropriate to the purpose of the particular agency, that the IRS be required to adopt procedures so that the limited disclosure policy can be enforced, that informa

4Published in limited quantity at the time, it was later republished as the first portion of `TheCitizen as Taxpayer” (July 1977, U.S. Government Printing Office, Stock No. 052–003–00422–4). The document is Appendix 2 of, and includes the chapter on tax information matters of, the Commission's overall report, `Personal Privacy in an Information Society” (July 1977, U.S. Government Printing Office, Stock No. 052–003–00395–3). It is a comprehensive treatment of the Privacy Protection Study Commission's views on tax administration recordkeeping. 5Ibid, page 26. 6Ibid, page 26. Also the principal report of the Commission, page 538. 7Ibid.



10

tion disclosed be only that necessary to accomplish the precise purpose for which the request was made, and that a recipient be prohibited from redisclosing personally identifiable information without a specific written authorization from the affected individual. In fact, the Tax Reform Act requires that information be returned to the IRS or rendered nondisclosable after the precise agency purpose has been served. CLASSICAL PRIVACY VS. INFORMATION USAGE The definition of privacy given earlier reflects the recordkeeping context of the classical privacy issue as it developed in the United States through the late 1960s and 1970s. In particular, the debate always addressed the position of each individual in his relation to recordkeeping systems that make determinations about him. With regard to the IRS taxpayer database, the privacy issue is covered by the Privacy Act of 1974, with which the Internal Revenue Service must conform. Since classical privacy is an information-use issue, it addresses in particular the way in which information may be used, the openness with which recordkeeping practices must be followed, and access by the individual to the record in behalf of accuracy, completeness, and fairness. The Tax Reform Act of 1976 also addresses information use, but significantly from the standpoint of all individuals collectively. The Tax Reform Act speaks to the use of the entire IRS database as well as the use of each individual record therein. For example, the entire data base is stipulated to be confidential, and the external third parties to which the IRS may disclose any individual record are carefully specified. In this sense, the issue addressed by portions of the Tax Reform Act is somewhat different from the classical privacy matter. While the Privacy Act does provide for broad uses of a database about people, such uses are at the administrative discretion of the database holder; an appropriate notice-of-intent need only be published in the Federal Register 30 days prior to such new use. In contrast, the Tax Reform Act is explicit in stating for what purposes all taxpayer information held by the IRS may be used and to whom and for what purposes it may be disclosed. Moreover, no agency has the discretion to make additional disclosures. The hearings and Congressional debates that accompanied the passage of the Tax Reform Act, together with the work of the Privacy Protection Study Commission, in effect constituted an ad hoc forum for publicly debating the question: `Whatare the socially acceptable uses of tax information both within and external to the IRS?” In present governmental processes, there is no standing mechanism other than Congressional debate and hearings by which society collectively can decide to what use certain bodies of information may be put and how such bodies of information should be allowed to interface with one another for the benefit or well-being of society. It is correspondingly difficult to debate the companion question: `What uses of a particular body of information are distasteful to the country and to society and should be preempted or forbidden by law or other means?” The issue of socially accepted uses of a particular body of information is rarely separated clearly from the classical privacy issues. In view of such blurring of issues, discussion commonly addresses surrogate questions rather than the underlying issues. For example, Congressional attention often is directed at details of



11

computer-system architecture or at choices of computer equipment, rather than at the fundamental issue of socially acceptable information use. Such a cautious distinction between individual recordkeeping privacy and broad information-use policy is extremely important in limiting the technological options available to the IRS in its future computer-based recordkeeping. As examples of such blurring, the Committee was told of various `constraints” imposed on the IRS by the Office of Management and Budget and by expressions of Congressional concern. In each case, part of the difficulty was a failure to distinguish carefully among privacy, security, and confidentiality. For example, one letter from a group of senators8 voiced concern about privacy issues connected with the IRS's proposed Tax Administration System of 1976. In fact, the central concern was not privacy. Rather the issue was partly one of computer security safeguards— namely, whether such a nationwide system with a large number of computer terminals could satisfactorily protect tax information. The letter also reflected an unexpressed concern about the exposure and visibility of so much taxpayer information on so many terminals in so many places. Looked at in this light, therefore, the uneasiness expressed in the particular communication noted was a surrogate issue for both pivotal technical issues of computer security mingled with a general conviction that tax information should not be quite so readily accessible to so many people. Because past expressions of concern from various sources have focused on surrogate issues, it is not surprising that the Internal Revenue Service finds itself unable to use certain technical computer-system options that might otherwise be attractive and sensible. For example, in the context of upgrading the microfilm system that stores past years of tax return information, a signed statement of agreement stipulates that there must be two physical breaks in any electrical connection between the National Computer Center at Martinsburg and the Service Centers. One solution would be a physical transfer of (say) a magnetic tape from one side to the other of each break.9 The impression left by such a stipulation is that it will somehow impede access to the master database at the National Computer Center in an unauthorized fashion. In truth, it at most delays improper access to the centralized database and erects no significant additional barriers. As a second example, the expressions of Congressional concern about the Tax Administration System implied that an electrical connection between Service Centers and a centralized database would somehow increase the risk of unauthorized disclosure of tax information. Eliminating such electrical connections, however, does not block the exchange of data; it only increases the difficulty. It would still be possible for the IRS to exchange data with other agencies or for an individual acting in an unauthorized fashion to divulge information improperly. To be sure, it eliminates the risk of eavesdropping on the electrical communications, but all other risks continue unabated, especially those that arise from the actions of people in the system.

8Letter dated December 20, 1977, from Senators Muskie, Ribicoff, Bayh, Percy, Abourezk, and Mathias to Honorable James P.T.McIntyre, Jr., Acting Director, Office of Management and Budget. 9Memorandum from Assistant Commissioner (Data Services) to Commissioner; June 30, 1978, `Final Memorandum of Understanding (OMB /IRS).” Also: Memorandum from Office of Management and Budget (Dennis O.Greene) to Department of Treasury (William J.Beckham, Jr.), June 9, 1978, including attachment dated June 7, 1978, entitled `Memorandum of Understanding Regarding IRS Long-Range Computer Modernization Plan.”



12

A prohibition against electrical connections has the effect of shifting emphasis away from computer software and hardware security controls onto the administrative and procedural controls that govern the physical movement of such items as magnetic tapes or discs. Policymaking bodies apparently feel significantly more comfortable with controls on objects or the behavior of people than with invisible computer software and electrical controls on access to computer data. In effect, a position against electrical connections is a de facto policy judgment that one kind of deterrence against misbehavior is acceptable and another one not. While such a judgment can be vigorously debated and a technical person will find it hard to accept, the Committee nonetheless accepted such agreements as part of a negotiated position and not to be challenged. Therefore, certain technical opportunities for improving the IRS computer-based record systems will neither be considered nor recommended in this report. THE BALANCE POINT A mission-oriented entity like the Internal Revenue Service will understandably strive to do its job with the maximum of thoroughness, efficiency, and effectiveness. On the other hand, from a policy point of view in other parts of government and in society as represented in Congress, it is not at all clear how much pressure the IRS ought to be allowed to put on the taxpayer. There is an unidentified and unexpressed tension between such a mission agency, struggling to do its job even better, and the environment that constrains it. The IRS fully understands the value of the tightest and most comprehensive set of computer monitoring processes imaginable, because thereby it could discharge its mission responsibility most thoroughly. Concerns about the Tax Administration System and about networking all centers were voiced in the name of privacy, but in fact they must reflect policymakers' uncertainties about the use of computer technology to tighten the hand of government. For the IRS, it would mean ever increasing power to monitor taxpayer behavior. Computer technology plays a pivotal role in the tension just identified, because it makes possible the comprehensive recordkeeping for ever tighter tax administration. Perhaps it is proper that the IRS must struggle disproportionately hard to apprehend tax evaders in order to avoid tightening things so completely for all honest taxpayers that the system would resemble the Big Brotherism of Orwell's 1984. Constraints such as those suggested previously will be seen as foolish by technologists, as inappropriate by system designers, and as impediments by an agency striving for more comprehensive service delivery. On the other hand, such positions do have a positive social value and represent society's desire to preserve personal privacy and autonomy. They cannot be dismissed simply by the assertion that technology can readily make them unnecessary. Restrictions on system architecture must be seen as reflecting the present attitude of the country and its leadership about what is acceptable with respect to additional computer-based recordkeeping that takes from the individual more and more flexibility of behavior. On the other hand, such constraints do have a bearing on privacy because they tend to deter unauthorized behavior. For the most part though, the effect is not of major significance because they do not markedly change the difficulty of misbehav



13

ing, but only modify the speed with which it can be done. Whatever one believes about the collective effect of constraints as they exist, recordkeeping privacy is in no way involved. The issue rather is possible breaches of confidentiality, in turn related to violations of security safeguards. Thus, a dialogue very difficult to conduct in the first place, is further confused by imprecise use of terms; this leads to erroneous connections among issues, and thus to further confusion, and so on. While a feature of democratic government, the tension between a mission agency's drive to improve performance and the environment that seeks to balance and moderate such drive is not usually identified in connection with recordkeeping systems. Nor is it a clearly stated issue in the front line of debate; it is generally addressed in terms of various surrogate questions. The nation is struggling through an era in which social policy is confronted with the ever increasing use of computers; the fundamental issues are not clearly drawn, but commonly the cause of privacy is invoked as the country attempts to resolve the matter and achieve an appropriate balance point. In a sense, the issue raised here is analogous to the balance of power between the military forces of the United States and their civilian control— a matter which the country understands well because it has for two hundred years thought about it, debated it, and cast it into the form of government. By contrast, the social implications of computerized recordkeeping have gradually been recognized only over the last 30 years, and it is little wonder that all of the interface issues are not understood. The matter is all the more difficult because recordkeeping practices have a way of causing unforeseen and often subtle side effects that were unintended within the original purpose of a recordkeeping system. The issue is further complicated by the fluid nature of societal views toward recordkeeping. When a social cause is perceived as desirable (for example, levying taxes on the so-called cash-only underground economy), then more comprehensive and stringent recordkeeping processes are seen as acceptable. Regrettably, however, it is a one-way street; once more comprehensive recordkeeping practices and controls are in place, it is extremely difficult to remove them. Such a consideration reinforces the natural conservatism of a policymaker faced with uncertainty about the consequences of some computer-related action. The country has yet to conceive and put in place an explicit mechanism to balance the aims of a mission agency with extensive computer resources against society's desire for flexibility in individual behavior and freedom from oppressive recordkeeping practices. At present, due process of law is part of such a mechanism; Congressional debate and oversight is another; public reaction is a third. Perhaps these and other mechanisms in sum are sufficient to avoid government recordkeeping processes that invisibly dominate an individual's life. It remains to be seen. Another National Research Council report10 has suggested to the National Weather Service that a particular computer system upgrade it is contemplating `must not be seen as a stand-alone replacement of computing machinery, but rather as one of the steps toward a future whose characteristics [can be] generally outlined … [and] the Committee concludes that consideration of system-level and architec

10`Technological and Scientific Opportunities for Improved Weather and Hydrological Services in the Coming Decade,” National Research Council, Washington, D.C.: National Academy of Sciences, July 1980.



14

tural details of the information infrastructure that will support the National Weather Service in the future must be commenced now.” Given the uncertain and dynamic balance point discussed here, a corresponding recommendation to the IRS would be unwise and inappropriate. The Committee concludes that the IRS must proceed slowly with its planning for computer-based systems and pace its expectations to the willingness of the country and its leadership to accept increasingly comprehensive tax administration recordkeeping systems.

It is not at all clear how this willingness is to be detected, much less predicted well enough in the long range. One obvious means is to propose a new system and see how it fares; in one sense, the Tax Administration System proposal in 1976 was just such a probe. On the other hand, the IRS might take an active role in a difficult area of governmental responsibility rather than being a follower. At a minimum, the IRS could certainly spearhead an effort to increase the public's awareness of tax administration and of the privacy and confidentiality issues that presently bewilder or escape the attention of many citizens. We express this conclusion knowing that comprehensive long-range planning is ordinarily necessary and proper. For a federal organization that does not deal with information about people, such a recommendation would have been among the first made by a committee like this one. However, for the Internal Revenue Service, which deals with perhaps the most sensitive body of information in the country, the normal expectations of the system planner and system architect simply must be moderated by yet unresolved social issues. In this regard a recent report by the Office of Technology Assessment11 has raised an extensive set of issues and detailed questions that can well serve as a sieve through which the IRS might sift future proposals for tax administration computer systems, and that also could focus Congressional debate and public attention. A final note is in order. While it would seem to be in the interest of the IRS to press for more extensive computer resources to process tax returns and keep records, it must be remembered that this country has a voluntary income tax system that depends on the honesty of the taxpayer and is by its nature a very fragile entity. If the tax system were to be perceived by society as overbearing, there would be a risk of defection from voluntary tax payments, plus a risk that the Congress in response to public outcry would step in and change the system. On the other hand, if the computer support for tax administration is inefficient or overloaded, it can become too easy for a taxpayer to report income incompletely or to underpay taxes. The IRS has reported from time to time on cases in which people have knowingly filed inaccurate returns in the belief that the risk of being caught was small. Thus, a system engineer's goal would be to collect the optimal amount of taxes by striking a balance between the extra money that might be collected from a more

11À Preliminary Analysis of the IRS Tax Administration System” (March 1977, United States Congress, Office of Technology Assessment, Washington, D.C.: U.S. Government Printing Office). The report examines a proposed 1976 nationwide network with several thousand terminals to give tax administration personnel access to a comprehensive database. While the Tax Administration System is no longer an active proposal, the document is an excellent summary of the issues that surface when computer-based tax administration systems are examined by government procedures, plus a vivid demonstration of the difficulty in selling nationwide networks that deal with sensitive information about individuals.



15

comprehensive and tighter tax processing system plus the cost of operating it and the backlash of large underpayment of taxes because of a lax inefficient computer system. Looked at this way, it is indeed in the interest of the IRS and the Department of the Treasury to consider with care how far it wishes to proceed in tightening the tax administration processes in the United States. COMMITTEE INPUTS In developing its internal policy on matters of privacy, security, and confidentiality, the IRS has established a comprehensive set of procedures and practices for its employees. For example, detailed handbooks give explicit guidance for responding to requests under the Privacy Act or reacting to security breaches or threats of various kinds. Furthermore, there are management means for overseeing and enforcing procedures that derive from policy; there are, as well, mechanisms for overseeing policy generation and modification. The Committee has reviewed a variety of such documents, handbooks, and other materials that set forth policy and administrative regulations. In addition, it was briefed on the structure, functions, and authority of the Internal Security group and also the Internal Audit group. In addition, the entire Committee visited both the Atlanta Service Center and the National Computer Center at Martinsburg, West Virginia. On each of the site visits the Committee was carefully briefed on various security matters as well as on details of the mission and the job at the site. The Privacy-Security-Confidentiality Panel was particularly attentive to the physical arrangements and procedures for controlling such things as personnel movement and access and those for physical protection of facilities, especially computer equipment and data. PRIVACY As noted earlier, the relevant legislation in this matter is the Privacy Act of 1974. Extensive sections of the administrative manuals specify rules governing precisely how the Service will respond to a request for information from a citizen. Over the operational lifetime of the Privacy Act, the IRS has received approximately 1,000 requests to see records, mostly from employees of the Service examining their own records. The modest number of external requests is not particularly surprising since individuals themselves furnish the information that finds its way into the tax database. Based on our examination of the relevant portions of administrative rules and manuals, as well as our understanding of the role of the IRS Internal Security and Internal Audit functions, The Committee finds that the IRS is properly fulfilling the obligations imposed on it by the Privacy Act of 1974.

Since privacy in the IRS context is really an information protection and disclosure issue, and since the latter is mandated by law in detail, the question `Howare you doing in privacy?” is a surrogate for `Howare you doing with system-wide security safeguards?”



16

One section of the Privacy Act12 requires agencies to take `reasonable precautions” to protect the data they hold. This obligation is really a computer security matter and is discussed in the following section. COMPUTER SECURITY As noted earlier in the definition of the term, computer security includes the sum of all the ways and means for protecting physical facilities, computer hardware, computer software, communication circuits, personnel, and data against a defined threat. For an agency like the Department of Defense, a major component of the threat is espionage or sabotage by opponent countries. For the IRS, the threat is not so much activities of a foreign power as violations of the confidentiality requirements of the Tax Reform Act of 1976. The threat against IRS computer systems must emphasize such things as activities of disgruntled employees, unauthorized acts of employees, and physical attacks by dissident groups. In systems like those of the IRS, in which manipulating the database or altering the software can have large financial consequences, fraud and embezzlement must be considered more likely occurrences, and therefore included in the threat to be guarded against. Computer system security requires diverse safeguards because so many dimensions of protection are required. Among them will be chain link fences, guard posts, personnel admission procedures, fire protection for computers, operational procedures to safeguard backup computer files, controls on access to the computer system and also controls embedded in it, administrative monitoring procedures to ensure that safeguards are intact and operational, vaults for magnetic tape storage, administrative procedures to limit access to computer terminals, and operational procedures to prevent computer programmers from accessing real data. Comprehensive security requires physical, personnel, communication, computer hardware and computer software safeguards, all embedded in an appropriate administrative structure with proper procedures. With regard to the physical protection plus administrative and personnel aspects, the Committee finds that the security situation at the Atlanta and Martinsburg sites, which it visited, is very good.

With respect to physical protection and procedures for admitting visitors and controlling personnel movement, the situation at Atlanta approximated that found in military installations and is better than those at many industrial organizations. We observed that the employees are very professional, proud of their work, well trained, have a good understanding of the importance of security as well as privacy, and understand the mission of the Internal Revenue Service. The Service is to be commended for its program to maintain high awareness of security issues in employees, and in particular for the special actions necessary to reindoctrinate seasonal parttime employees. On the other hand, as the IRS moves into a new era of vastly improved recordkeeping systems, it must ensure that its posture with regard to security controls is the best possible and be able to demonstrate the fact to review and oversight bodies.

12P.L.

93–579; Section 522a(e)(10).



17

The Committee recommends that the IRS conduct a thorough audit of all security features that safeguard its computer systems, its data and files, its personnel, and its facilities.

Such an audit must examine not only the usual physical arrangements and procedures, administrative controls, and management oversight mechanisms, but also in the coming era, the safeguards embodied in computer hardware and software. While the IRS can undoubtedly conduct such a review internally, it would be advantageous to use external specialists who have broad experience with a variety of computer installations and situations. Computer software safeguards require special comment. They are highly technical, and of necessity the Committee had to accept verbal descriptions of their details and functions. Subject to the limitations of the group in examining such technical matters in depth, we believe that proper procedures do exist to control access to sensitive databases, but we cannot submit technical evidence in support of this conviction. We discovered no evidence that would lead us to conclude that we were misled or presented with an incomplete story. With respect to software security, the Service Centers and the National Computer Center are quite different in nature. The Service Centers provide terminal access to databases for tax administration purposes and to serve the public. No computer programming takes place in such centers but life cycle support of operational software does occur. Thus, the number of employees who could, in principle, modify the system or access sensitive data for unauthorized purposes is negligible. In contrast, the equipment at the National Computer Center supports a very large load of computer program development. Access to real data is sometimes essential and tight procedural mechanisms have been developed to control such access. To the extent that we were able to examine the matter—again one with deep technical overtones—we believe that the security safeguards governing program development on the Martinsburg computers and the access of programmers to real data are generally satisfactory and consistent with the state-ofthe-art. It is important to observe, however, that the ability to implement more comprehensive software safeguards at a Service Center or at Martinsburg is seriously constrained by the installed computer hardware and its corresponding software. When the equipment now at the Service Centers was installed, the commercial industry had been largely ignoring software security. Thus, the IRS had to design and implement its own changes in the operating system software for its installed Service Center machines, a most unusual step at the time. Commercial vendors have only in recent years begun to provide computer hardware with appropriate security safeguards, and they are still struggling to provide complementary safeguards in computer operating system (or executive system) software. The present vendor situation with regard to security-controlling software is especially relevant to the equipment replacement plan now under way. The Service may not be able to get satisfactory software security controls from commercial sources; it may find, depending on the outcome of the procurement process, that it will again have to make changes in operating system software. It is generally agreed that retrofitting operating system software with appropriate safeguards is technically very difficult. Many experts regard it as impossible to retrofit comprehensive safeguards against attacks by a skilled and determined penetrator. Such a view is, of course, much more significant to an agency like the Department of



18

Defense, which must protect its systems against cleverly mounted attacks by technically adept and well-financed foreign opponents. The Internal Revenue Service probably does not have to concern itself so much with deliberate attacks by a determined penetrator. The problem of software security safeguards is thus somewhat more tractable, though not one the Service can minimize or be complacent about. Modifying contemporary operating system software is an extremely complex programming task that must rank high in technical risk. It must be given careful attention not only by the Office of Data Services but also in IRS management review and oversight proceedings that monitor the overall progress of the replacement effort. Although considerable work has been done by others on computer-system security, its results have been applied mainly to systems used by the military; presently available commercial computing systems are not immune to manipulation by expert systems-level programmers who have authorized access to the overall system. Since the Department of Defense has experience in both attempting to penetrate computer operating systems and developing methods for increasing the security of computer operating systems, the Committee recommends that the IRS seek its assistance in the computer security area.

Given the present state-of-the-art in computer security and the centralization of all government research on the subject in the Department of Defense (DoD), it is essential that such experience be utilized. While its assistance cannot guarantee an invulnerable system, nonetheless DoD advice can greatly lessen the risk of serious and easily exploited vulnerabilities. The above comments on the manipulation of computer operating systems apply whether the computer is operated in an on-line interactive mode or in a batch mode. It follows that the proposed arrangement for providing physical breaks in the communication links between a computer and its remote access devices by no means makes it impossible for qualified experts to manipulate the computer. The breaks simply introduce a delay and accordingly make it only somewhat more awkward and possibly more difficult. Even so, time delays and a corresponding increase in difficulty are, of course, worthwhile deterrents and may well be enough to inhibit such manipulation—particularly if a comprehensive audit trail system is in place and regularly used. Although the above discussion may not appear encouraging, it must be recognized that research and development in the computer security field is still continuing and that the matter is not wholly resolved. We recommend that the IRS carefully monitor computer security research efforts and exploit any results that can strengthen the in-place safeguards.

SECURITY DURING CONVERSION In part, the essence of good computer security is a stable physical environment in which a stable work force carries out its work under stable procedures. Such circumstances significantly lessen the opportunities for security breaches. During the equipment replacement program, instability will of necessity occur because physical rearrangements will be taking place, operating system software and appli



19

cation programs will be under revision, procedures may be changed, personnel will be retrained, and so on. Such changes may bring new opportunities for breaches of security. The Committee therefore recommends that the IRS create, as part of its overall planning for transition from the existing computer environment to its new one, a specific plan for heightening security awareness and overseeing the special security aspects of transition.

Much of the responsibility for such planning will rest with the Office of Data Services, but the Internal Audit Division should also be involved, not only to be alert for new security weakness but also to probe for loopholes. There may in fact be opportunities for the Internal Audit Division to uncover existing security weaknesses that have remained concealed. As an example of what might occur, consider a 1979 audit report that identifies a particular computer problem as `deficient programming.” Such a characterization is, of course, somewhat imprecise, but, on the other hand, clever programmers who intend to manipulate the computer system in some unauthorized way can easily make misbehavior appear to be poorly done work. Such subtle effects are extremely hard to judge; even detecting them will require heightened vigilance. The enormous effort of converting approximately 3.5 million lines of computer programs now in assembly language to corresponding programs in an appropriate higher order language will markedly increase the amount of program development activity that the National Computer Center supports. The Committee recommends that technical procedures and administrative means for controlling access to the National Computer Center computers, not only for program development runs but also for access to real data, be thoroughly reviewed for completeness, for possible loopholes, and other shortcomings.

The recommendation simply reflects the observation that what may have been satisfactory at past levels of program development may not be equally satisfactory at the much higher levels that will be reached during the equipment replacement program. Program development for the Service Center Replacement System will be done in Washington, using a computer located physically at Martinsburg, West Virginia. Appropriate technical procedures and administrative controls for giving programmers access to the computer and to live data will have to be developed. PERSONNEL THREAT Experts agree that the vulnerability of computer-based systems to attacks by system personnel is serious. The state-of-the-art for detecting seemingly authorized but actually unauthorized behavior has not yet fully developed. The security controls and audit trails throughout new operating system software as well as the revised application software need to be as comprehensive as possible. The Committee recommends that relevant expertise from inside as well as outside the IRS be used to ensure that the software security controls and audit trails will be consistent with the best state-of-the-art.



20

The task is a system-level design one that will demand the best technical attention. In view of an unavoidable internal threat against computer systems and especially in view of growing concern about fraud and embezzlement, The Committee recommends that the IRS review both at the National Computer Center and at the Service Centers the number of personnel positions identified as `critical sensitive.”

It is our understanding that only a single person at the National Computer Center is now so classified; this seems inappropriate given the Center's pivotal role. A `critical sensitive” position requires a so-called full-field investigation of the incumbent. Our recommendation is intended to enhance the trustworthiness of employees with pivotal management and operational responsibilities. THE ROLE OF INTERNAL AUDIT Auditing computer-based systems is a profession that is less than 10 years old. The development of ÈDP Audit,” as it is called, has resulted from the need to audit through rather than around computer systems.13 Professionally, EDP auditors are either traditional auditors who have been trained in computing skills or computer professionals who have been trained in audit procedures. Because the art is so new, because it combines two disparate disciplines that have not previously worked together, and because it has had to develop its own new techniques and tools, the profession's methods are still fairly primitive compared with those of traditional account auditing. There is still much to learn; many programming tools and methodologies have yet to be developed. For example, the four generally accepted EDP audit functions are to identify controls, to evaluate controls, to determine the functionality of controls, and to verify data. Of these, the last is the most completely developed; the others still require the conception and development of many tools. The Internal Audit Division of the IRS has an appropriate cross-section of skills—classical auditors, computer specialists, and certified public accountants. The staff appears to be aware of the latest EDP audit techniques (e.g., the use of generalized audit software) and has high confidence in its professionalism and knowledge of the field. Staff members have attended many conferences and seminars and are conversant with the current literature.14 On the basis of documents and discussions with appropriate people, the Committee believes the Internal Audit staff to be adequate, but again stresses that the field is by no means fully enough developed to provide assurances as strong as those given by the traditional audit process in noncomputer situations. For example, there is some general confusion in the minds of internal auditors about their actual responsibilities. Do they design the controls, do they comment on the effectiveness of existing controls, do they enforce compliance with controls,

13ÈDP” is electronic data processing. Other acronyms in use are ADP (Automatic Data Processing) and DP (Data Processing). 14For example, `Computer Control and Audit” (1978); and `Systems Auditability and Control” (1977). Both published by Institute of Internal Auditors, 249 Maitland Ave., P.O. Box 1119, Altamonte Springs, Florida 32701.



21

or do they limit their duties to commenting on the extent of compliance with existing controls? The Committee also stresses that threats against a computer-based system and opportunities to use it in an unauthorized way are not necessarily analogous to those that exist in a manual system. There truly are new means for committing crime when the recordkeeping system is computer-based rather than manual, and EDP auditors must be alert to them. To return to a point made previously, the source selection decision for the equipment replacement program must include an assessment of the security safeguards in vendor-proposed computer operating systems software. As noted above, it is an issue of great technical difficulty, and the IRS must bring to bear on the matter the best resources available both internally and externally. The Committee was told of a recently completed procurement in which the IRS Internal Audit Division's subsequent examination of security safeguards in the operating system revealed a substantial deficiency. The equipment replacement program for the National Computer Center and the Service Centers is a much larger undertaking and a correspondingly awkward situation must not be allowed to develop. In the source selection process, the IRS must examine with extreme care not only the adequacy of each vendor's computer operating system software security safeguards but also the ease with which new ones can be added. The Committee suggests that the Internal Audit Division now contains specialized skills that can be exploited during source selection considerations and also exploited for conceptualizing software security controls and audit trails.

The Internal Audit Division will be involved with operational audits of the new equipment and systems, and it seems wise to involve its personnel at the beginning to minimize the risk of future difficulties. The Committee notes that the United States Air Force maintains a group at Hanscom Field in Lexington, Massachusetts, that is widely used throughout the federal government to help in scoring and evaluating vendor proposals. Advice from such a specialized group should also be obtained. Since the Internal Audit Division is so crucial to the assurances that the IRS can give its critics and its Congressional overseers about computer security, the Committee would feel more comfortable if there had been an external review of the Division's capabilities. It is common industrial practice for external auditors to review the capabilities of internal auditors, not to repeat the internal audits but rather to assure management that the scope and performance of the internal function is adequate and appropriate. The Committee recommends that the Commissioner of the Internal Revenue Service invite the General Accounting Office to provide an independent assessment of the capability of the Internal Audit Division.

We stress, however, that the present capability of the Division is not in question. Such an approach would, however, assure the Service that it has the best possible EDP audit function.



22

TECHNOLOGY AND THE FUTURE Contemporary telecommunications and computer technology can dramatically enhance the computer-based capability of the Internal Revenue Service. Major and difficult system engineering problems would have to be solved, but no IRS investment in new technology would be required to achieve any desired level of nationwide network-based computer support. A major system-level task would be to provide comprehensive security safeguards at the network level, a task more difficult than safeguarding an individual computer system. On the other hand, exploiting technology in such a way inevitably brings risks. Tax information, for example, would likely be more visible and exposed to misuse simply because a larger number of terminals would make it easier. Furthermore, large amounts of tax information might be transmitted over communication circuits where it could be intercepted—another new risk. Various communication security techniques might become necessary. In the end, it is very difficult to balance the benefits of an improved level of recordkeeping against new security and privacy risks and against new social and political implications. Policy-making bodies at the federal level are not in a good position to struggle with such an intricate issue or even to debate it in a learned way. Given all the uncertainties about the future, especially with regard to social attitudes about privacy and information use, policymakers will inevitably err on the conservative side and opt for more traditional approaches to computer-based systems. It is unlikely, therefore, that giant leaps in technical sophistication will readily occur in computer-based nationwide networks. Such an observation is particularly pertinent to the IRS, which deals with information viewed by citizen and government official alike as extraordinarily sensitive and demanding of the utmost in protection and controls over disclosure. In this sense, therefore, the now defunct Tax Administration System of 1976 was probably ahead of its time in terms of what the country, as reflected by Congress and various elements of the executive branch, could accept comfortably.


TRANSITION

23

Chapter III TRANSITION

INTRODUCTION The transition implied by the IRS equipment replacement program is a massive project involving the expenditure of $218,000,000 over a period of eight years. Computer equipment will be changed at 10 Service Center locations and eventually at the National Computer Center as well. There will be corresponding modifications to buildings and facilities, not to mention a very large software effort to exploit modern computer programming languages. The transition process will involve as many as 500 technical and professional people at its peak. The documentation necessary merely to coordinate such an effort will itself be very extensive. The Committee could realistically examine only the overall strategy and organization of the transition and assess the adequacy of the available resources. At the more detailed level, it was able only to spot check the formats and scopes of individual plans, the care and effectiveness of planning, the skills of the personnel, and the capability of the management team. It did not have the resources to examine the quality of training or the effectiveness of development tools. Much of the planning detail evolved while the study was in progress, and the Committee was forced to make judgments about future events that would result from ongoing IRS planning. The Committee could and did consider alternative strategies and organizations for effecting the transition. It met with IRS managers to discuss the plans and the responsible organizations; it reviewed alternatives with them, discussed how the project fits into the overall IRS management structure, and followed the evolution of the management team. The Issues Two broad issues arose in the Committee's assessment of the transition planning. The first is the overall strategic approach—how the system will be changed, the sequence of major steps, and the overall plan for managing the transition. The second is the organization and management of the transition. The questions here are how the strategic plan will be executed, who will do it, what controls must be applied, what techniques will be used, and what resources will be available. Perspective Technology, particularly new technology, imposes no limitations on what the IRS intends for the future; therefore, it is not a pivotal issue in the present plan. On the other hand, the computer field has advanced rapidly; the new equipment and its associated operating system software will be dramatically different from that now installed in the Service Centers and the National Computer Center. Thus, technology does become a problem area simply because inherent in its installation are several important concerns.


TRANSITION

24

The IRS intends to keep the general computer processes unchanged to minimize risk. While this is admittedly proper, the effort cannot be regarded as simply an exchange of one computer for another on a business-as-usual basis. The so-called Equipment Replacement Program is a big undertaking by any measure. There are risks and pitfalls that must be appreciated in advance and reflected in planning. Significant detailed system changes may be necessary simply to exploit or accommodate new equipment or system software. Unfortunately, many such details cannot be known until vendor selection is made. However, there must at least be an awareness that the effort is in every way completely different from the customary daily operational environment of the IRS—in scale of effort, in nimbleness of management and responsiveness of decisionmaking, in scope of documentation, in completeness and tightness of control, and in reaction to unanticipated problems. The Committee recommendations below can lessen the risks, but the Equipment Replacement Program must be seen by the IRS as the large engineering development project that it is. Assumptions Crucial assumptions include the following: • During the transition the IRS must fully accommodate any changes that may occur in tax law. • Because there is no need for a radical change in the general structure of the information processes supporting tax administration, a long-range strategy of evolutionary growth is appropriate. Since the IRS cannot predict legislative changes, any such long-range approach must embody the flexibility to accommodate new requirements. • A program to replace equipment only, without redesigning information processes in detail, is satisfactory. Indeed, in an effort of such size it would be far riskier to redesign the software processes and change the hardware simultaneously. • While system design changes generally should be deferred until the transition is complete, some flexibility can be allowed under prudent and tight management review and control. Although some detailed changes in software will be dictated by the adoption of COBOL, The Committee recommends that the existing general structure of programs and files not be altered to change the processing flow, the functions provided, or the overall system architecture.

It is obviously impossible to avoid some changes in software when it is moved from one computer to another. At a minimum, the present assembly language programs must be modified to accommodate the characteristics of the COBOL language. It may even be necessary to restructure the files in the database. At the other extreme, one could envision a complete redesign of the information flows that collectively perform tax administration. Naturally, this would imply a wholesale redesign of software; the IRS would be starting ab initio on its software.


TRANSITION

25

Our view is that the latter is unwise because of the magnitude of the job. The former is unavoidable, and how much redesign beyond it is a matter of judgment as the details of software conversion develop. To keep the software task to a manageable size, the project management must enforce a high level of deterrence to change. There will be a myriad of technical details in deciding how much software change is appropriate, some of which will not be known until the equipment has been selected. Thus, our recommendation and advice is to deny all proposed change unless the case for it is extremely strong and the payoff from it sufficiently large to justify the additional commitment of resources, impact on the schedule, and risk. A crucial point in any software effort is the status of the documentation, those descriptive items or program listings that specify what a program does and how it is done. The Committee raised the point with the IRS and was assured that either the documentation is already adequate for the purpose of conversion, or where it is not, appropriate documentation will be created before conversion begins. Some of the latter effort is already underway. We did not have an opportunity to examine samples of the documentation but, given the age of the present software, it is inevitable that it has been patched and repatched to accommodate essential change over the years. Clearly, inadequate or incomplete documentation will magnify the already large task of software conversion and disrupt schedules and funding allocations. The IRS decision to examine the status of documentation first is sound; such resources as are needed to do the task thoroughly must be committed. Avoiding Delays During 1981 transition costs will reach $1 million per month; they will rise to $2 million by 1985. This is a crude but useful measure of the maximum cost of delay. On a project of such complexity, the potential for delay is ever present, and while some delays will arise from pressure to alter the basic way in which processing is done, others will arise from incomplete planning, mistakes in implementation, or unforeseen events. Additional expenditures to minimize delays can be thought of as an important form of insurance. Therefore, some contingency arrangements should be incorporated into the total plan. To summarize, the essential first step in minimizing delay is to select a strategy that minimizes risks. The second is to invest in good planning; the third, to seek out and prepare contingency plans for potential problems. These factors should and do dominate the discussion and recommendations. STRATEGY OF TRANSITION Overall Strategy The transition is to be carried out under an overall strategy of equipment replacement. This is not to say, however, that each item of new equipment merely replaces an old one; the situation is much more intricate. Existing systems must continue to operate as they now do while they are gradually replaced by new hardware with converted software. Some detailed changes will inevitably occur; for


TRANSITION

26

example, new file layouts or better structuring of programs may be needed, and interim interface software modules will surely be needed. Piece-by-piece change is a desirable way to minimize trauma and delays while upgrading a large system that must continue to accommodate its operational load in the meantime. Cut-Over Strategy1 To understand the process of transition, consider the extremely simplified but basically accurate description of the system shown in Figure 1. There are two locations to consider: the National Computer Center (NCC) in Martinsburg, West Virginia, and ten Service Centers (SC) throughout the country. Each Service Center receives taxpayer returns and related documents, batches and processes them for editing and data encoding, and enters the data into a local computer system for correction of errors. After transcription, magnetic tapes are shipped to the National Computer Center for posting to the master file. For any of a variety of reasons an account may fail to post, requiring its return to the Service Center for resolution of the problem. Service Centers are responsible also for complete revenue accounting—reporting monies deposited, assessments, abatements, and other control information—as well as printing and sending notices or bills to taxpayers. At the National Computer Center the centralized business master file (BMF) and individual taxpayer master file (IMF) are posted and analyzed; prescribed outputs are produced on magnetic tape. The BMF and IMF are maintained in taxpayer-account sequence—the BMF by the employer identification number assigned by the IRS, and the IMF by taxpayer identification number. Each account contains taxpayer identifying data such as number, name, address; returns liability and settlement data; and results of return examination. On a regular weekly production cycle, input tapes from each Service Center are received at the National Computer Center by air freight. In turn, refund tapes are certified to Treasury Disbursing Centers, and other output tapes are sent to Service Centers for printing of notices, bills, and registers. Information on accounts is produced on microfilm, which is distributed to Service Centers to aid research on accounts; the National Computer Center handles no taxpayer documents. Except for special printed reports and extracts from the two master files scheduled for monthly, quarterly, semiannual, or annual production, input and output are chiefly magnetic tape. Conceptually, the overall processing sequence is simple. • Tax returns arrive by mail at Service Centers and are transcribed to magnetic tape by a system that will not be replaced or altered (System T).2 • Transcribed returns are processed for arithmetic accuracy; when errors are resolved, updated information is sent on magnetic tape to the National Computer Center (System P). A copy is also used to update the local Service Center file on a `pending” basis (System H).

1`Cut-over” is technical jargon, but commonly used to describe the events of conversion. Furthermore, it is descriptive of the transition process in that a long sequence of coordinated actions must take place, generally over a lengthy period of time. Cut-over is not an instantaneous event, such as would be suggested by throwing a switch from one position to another. 2Refer to Figure 1 for the overall flow of events.


TRANSITION

FIGURE 1

27


TRANSITION

28

• Transcribed returns are processed at the National Computer Center to update the master files (System M). • Once a week, magnetic tape copies of selected records and parts of records are sent to each Service Center (System I). • Each Service Center uses the material from the National Computer Center as its local database, supplementing it with pending data from the local preliminary processing and local files used to support ancillary activities (System D). • Each Service Center provides the same set of query, processing, and update capabilities to itself and the associated District Offices (System Q). • A separate system manages the telecommunications network and terminals connected to each Service Center (System N, which is not being replaced or altered). Systems H, D, and Q together comprise the Integrated Data Retrieval System (IDRS), which was developed to provide fast access to up-to-date taxpayer account information. With the IDRS, Service Centers and District Offices are connected to a specially created database whose content is based on the probability that an inquiry for a particular account will occur. It typically contains about 10 percent of the taxpayer accounts for which a Service Center is responsible. IDRS also provides operational management information for examination and collection activities. It has significantly improved the ability of the IRS to provide quick response to taxpayer's inquiries and to monitor delinquent accounts. • The files at the National Computer Center are processed weekly to make full copies of selected records available to Service Centers on microfilm (System D). • All other processing at the National Computer Center is self-contained or provides outputs to systems other than those at Service Centers (System O). The replacement program does not change any of the flow structure shown in Figure 1. The basic change is to four sets of hardware, with concomitant software changes. They are: • • • •

System P in the Service Centers Systems M, I, and O in the National Computer Center Systems H, D, and Q in the Service Centers System D at the National Computer Center

The overall program is divided into three largely independent conversions: • Phase 1: Convert the files and programs at Service Centers (Systems P, H, D, Q) and use temporary interface programs to keep them operating with the National Computer Center. This phase is called the Service Center Replacement System (SCRS). • Phase 2: Convert the National Computer Center (Systems M, I, O). • Phase 3: Convert the microfilm operation (System D). The general concept of separate, noninteracting phases is clearly sound. It reduces risks and minimizes the complexity of the events to be controlled; both are essential in a project the size of that being undertaken by the IRS.


TRANSITION

29

As of the date of the Committee's work, only the Service Center Replacement System had been developed in detail. It is the most complex, and this report therefore discusses only Phase 1 in detail. Service Center Replacement Strategy The general strategy for Service Centers is to use the Memphis Service Center as a pilot project, on a schedule that permits thorough testing and operational certification. The remaining Service Centers will be upgraded, one at a time, by installation teams. A schedule and general plan for this has been prepared, and it is a sensible and sound approach. The general approach for the pilot effort is gradually to move files and their associated processing operations concurrently from the old system to the new one. The procedure can tolerate some schedule uncertainties and delays, and it avoids the trauma of a tightly scheduled cut-over, which can be extremely troublesome when delays occur and deadlines are missed. Use of a Higher Level Language During the transition, the IRS will continue training its staff in the use of structured program design and the programming language COBOL. A major part of the transition will be converting the current assembly language programs to COBOL. The decision to move to a high-level language is a good one, since it will ease future changes and make support of the software more convenient. The choice of the language COBOL is also sound. Other possibilities raise difficulties of various kinds; e.g., some languages are not appropriate to the nature of the processing the IRS does; others are not provided by all vendors who might bid so that choosing one of them could inadvertently restrain competition; still others do not provide enough additional capability to justify their additional complexity and difficulty of use. Making the change to a high-level language during transition is also a sound decision, allowing learning costs to be absorbed in the transition effort. ORGANIZATION, MANAGEMENT, AND RESOURCES As explained earlier, the Service Center Replacement System portion of the Equipment Replacement Program will take about five years, will occupy a staff of 500 people during its peak year, and will involve not only some aspects of the National Computer Center, but also all Service Centers and most of the IRS organization at one time or another. A comprehensive program of such magnitude clearly demands an organization to manage and control it. Such an organization will represent the chain of command through which activities at the various echelons are planned, approved, assigned, supervised, and executed. The particular details of the organizational structure selected to manage and control a major effort depend not only on the nature of the undertaking itself, but also very much on the characteristics of the parent organization in which the task is to be carried out.


TRANSITION

30

In the course of its examination, the Committee pinpointed many specific issues that have significantly influenced the success or failure of other efforts in a wide variety of organizations. As issues were recognized, each was reviewed and discussed with the relevant IRS project staff. The discussions and review actions satisfied many of the Committee's concerns, but others, highlighted under the next few headings, deserve continued review by the IRS staff. The Task The Service Center Replacement System consists basically of replacing the obsolescent computers in the 10 Service Centers with modern processors, plus converting all the existing programs from assembly language to COBOL. The task is straightforward in principle, but in practice it becomes complex because of its magnitude— 1.5 million lines of code, 1040 programs, 10 Service Centers—and the need to carry it out over a period of five years without disrupting normal operation. The Issue of Organization To plan and execute a large undertaking like the one the IRS intends, some organizations would establish an entirely separate entity, often referred to as a `project office,” with its own manager and staff; it would become a self-contained entity with complete responsibility. Other organizations execute large projects within existing organizational structures. The IRS has chosen the latter alternative. It will augment the staffs of existing sections and add staff as needed in appropriate branches of the Systems Design and Programming Division (Figure 2). Conversion of all programs will therefore be done centrally at the IRS headquarters office in Washington, D.C., under the responsibility of the Director, Systems Design and Programming Division. The advantages of such an arrangement are as follows: • Computer program conversion will be carried out in organizational units that are already responsible for, and therefore familiar with, the functions and structures of the programs in detail. • There is a continuing need to maintain the existing computer programs and incorporate changes, such as those mandated by legislation, while simultaneously writing and supporting the new computer programs. It makes sense to retain a close connection between the two efforts. • New additions to the staff—an increase of perhaps 200 above the present level of about 625—will be required to carry out the conversion. It will be simpler and less disruptive to integrate new and relatively inexperienced staff into existing units. • It is probably not possible within the organizational tradition of the Internal Revenue Service to establish an autonomous and powerful project office to accomplish the tasks of the Service Center Replacement System program. The Committee agrees with the advantages cited above. We endorse the organizational plan developed for the Service Center Replacement System but note that such an organization usually has difficulty in uncovering and resolving the many

FIGURE 2


TRANSITION 31


TRANSITION

32

minor conflicts that always arise. Decisions may be made at too low a level for management to see and understand their implications. Therefore, to maintain control and visibility, we strongly recommend that the Systems Development Office have sufficient staff and be organized so as to review the decisions and tradeoffs made at all management levels on the project.

The Issue of Conflict The new hardware and converted programs at the Service Centers will be installed by two independent installation teams. The equipment team will be provided by the System Support Division and the programming team by the Systems Design and Programming Division. The System Development Office will coordinate and closely monitor the work of the installation teams. As the Service Center Replacement System program proceeds, conflicts will develop, particularly with regard to priorities and resource allocations, during both conversion of programs and installation in the field. Conflicts involving the conversion of programs can probably be resolved within the Systems Design and Programming Division, if care is taken not to set back the plans and schedules established by the Systems Development Office or the field operations. Otherwise these conflicts may need resolution at the Assistant Commissioner level (Figure 3). Conflicts during the installation phase in the field are more likely to be the result of conflict between the schedule and priorities set by the Systems Development Office, on the one hand, and the day-to-day requirements of field operations on the other. These also may require resolution at the Assistant Commissioner level (Figure 3). The IRS now has a Policy Resources Board for automatic data processing; it includes all Assistant Commissioners and is chaired by the Assistant Commissioner (Data Services). The role of the Board is to decide on system development priorities and to allocate resources. We endorse the concept of a separate Priority Committee, chaired by the head of the Systems Development Office, to deal with the issues of conflict during the development and implementation of the Service Center Replacement System. The members should be at levels close to those at which operational problems will arise. The committee should include senior representatives of the divisions within the Office of Data Services plus representatives from the regions. A committee, with its scope of authority defined in writing by the Assistant Commissioner, will, in the opinion of the Committee, greatly expedite the cooperative and timely resolution of conflicts. Installation and Cut-Over The Committee views the interval during installation of new computer hardware and the cut-over from old software systems to new ones to represent a special risk. Previous experience with similar transitions of large systems indicates that great care is required. The Committee recommends that specific detailed plans be prepared for the cut-over phase, including acceptance criteria, and that prior preparations be made for emergency back-up actions.

FIGURE 3


TRANSITION 33


TRANSITION

34

The risk of system cut-over can be lessened by a number of early preparatory actions. We recommend that the test-and-evaluation program contain precisely defined criteria for cut-over qualification.

Following successful completion of testing, complete cut-over is ready to occur. Two safeguards will be necessary at this stage: • The old and new systems should be operated concurrently until all personnel have become accustomed to the new system, the required operational results have been obtained from the new system, and satisfactory overall reliability has been demonstrated. Only then can the old system be dismantled. • A readily available back-up system and/or a responsive arrangement for system recovery-and-restart must be available. No cut-over steps can be considered until testing clearly indicates that a successful transition can be completed, and that all problems or delays can be handled within the time limits required by Service Center operations. It is our opinion that the final decisions related to cut-over during the actual installation of the new systems and programs in the field should be given to the officer with operational responsibility—the Regional Commissioner or his designee. There are two major reasons for this: • He is closer to and more sensitive to the operational needs in the region, • When conflicts arise between the schedules and priorities set by the Systems Development Office and the day-to-day requirements of the field operations, operations should be properly represented and have priority. Systems Development Office Planning and scheduling, coordination, and fiscal control of the Service Center Replacement System program will require constant attention to detail. A Systems Development Office, reporting directly to the Assistant Commissioner (Data Services), has been established for the purpose. The Office will coordinate and maintain the `project plan” for such diverse activities as fiscal oversight, design, development, implementation, procurement, facilities, training, and public relations. It will also coordinate and maintain the overall program budget. The nature and extent of the authority vested in the Systems Development Office must depend entirely on delegation from the Assistant Commissioner (Data Services) and/or the Commissioner himself. However, it is clear from the nature of the technical and management effort to be performed in the Systems Design and Programming Division, and from the limited number of personnel currently planned to staff the Systems Development Office (approximately 15) that it can play only a general planning, coordinating, and advisory role. It could not be a true project office. This is not to demean its role, but simply to clarify it. We believe that such an arrangement offers an appropriate role for the Systems Development Office, given the nature of the Internal Revenue Service as an organization. Even so, the Systems Development Office, to carry out its responsibilities in the detail and in the timely fashion required, will have to possess strong project-


TRANSITION

35

office-like authority and be in close and constant communication with all the units involved in the project. These include, at a minimum, the analysis and programming teams, recruiters and trainers, the installation team(s), the budget office, contractors, and field office personnel. The information to be analyzed and reported for control must be extensive. We doubt that the presently planned staffing level for the Systems Development Office is adequate to ensure monitoring in sufficient depth. We therefore recommend that the staff of the Systems Development Office be approximately doubled from the planned 15; that the Systems Development Office obtain expert advice on the adequacy of its project management system at the earliest date; and that representatives of the Systems Development Office routinely attend planning and design review meetings where program issues are discussed and decided, to develop their own sense of the information being provided by various task teams and also to maintain the automated project control system.

Project Funds Management Funds management is essential to achieving the schedule and staying within the budget. The Committee considers the area of effective funds management to be extraordinarily critical, and the key to minimizing conflict and delays. The Committee recommends that the IRS require close and careful control of project funds by the System Development Office.

Management of project funds is a task that spans the complete project life. It is directly related to all phases from planning to development, testing, installation, cut-over, and system operation. Funds management is also a vital tool for the project manager to use in tracking progress against schedule, relating expenditures to planned task completions, and controlling the budget. No project member can be allowed to commit or expend funds except in accordance with the approved overall plan and budget. In the project budget the total effort must be divided and subdivided until all tasks are defined at a level sufficiently detailed to be readily understood and manageable. In such a process, the Work Breakdown Structure will identify all major project areas from the grossest to the most detailed level, until all task and expenditure activities are completely identified. At the lowest levels of activity, estimates will be made of resource requirements (manpower, money, material) and budgets will be assigned. As budgets are aggregated from the most detailed Work Breakdown Structure levels to each major Work Breakdown Structure area, a total project budget will evolve. During the implementation period, all activities must operate within the approved budget. In this period, work packages will be developed to correspond with Work Breakdown Structure identified tasks. Personnel will be assigned tasks, equipment will be purchased or leased, and all activities will be geared to the budget. Performance and cost measurement reports and controls will be needed throughout the implementation period. All staff personnel authorized funds under a budget and assigned to tasks should report to project managers on a regular basis.


TRANSITION

36

Regularity in reporting provides early warning of forthcoming or anticipated problems in schedules or costs. In contrast, after-the-fact reporting simply documents history and is of correspondingly less value in project management. Reports must clearly measure progress made against that planned and explain in adequate detail any variance in progress or cost. The project plan and budget must cover all direct expenditures, all support elements, and as required under IRS fiscal control procedures, training, construction, communications, contractor support, and so on. The Committee discussed the topic of funds management with the IRS staff on several occasions. We believe the area of overall IRS project management needs further attention. We understand, for example, that IRS funding for the project will be commingled with other IRS funds; and that the normal IRS work assignment and funds management controls will be applied to work performed for the project.3 The Committee strongly recommends that the IRS hold separate all project funds. It further recommends that the Director of the Systems Development Office be given budget assignment and control authority for project funds.

These recommendations do not require handling of funds outside current IRS financial management organization. However, they do require establishment of project budget and fund control measures that allow the project manager to oversee the expenditure of funds approved for the project. The collective experience of the Committee in managing large project tasks leads us to conclude that failure to follow the preceding recommendation will seriously jeopardize the optimal completion of the whole effort. Resources The Equipment Replacement Program is estimated to require an investment of 2000 staff-years in the calendar years 1980 through 1987. The Service Center Replacement System portion is estimated to require 1500 of these staff-years from 1980 to 1985 and is therefore the major part of the effort. To achieve such levels, the staff of the Systems Design and Programming Division is expected to increase from the present level of approximately 630 to about 700 in 1982, and to peak at about 725 in 1983. Another 100 personnel may be needed in the field to carry out the implementation. The Committee is not in a position to comment on the accuracy of the estimates; to do so would require a detailed review of all the tasks required in the Service Center Replacement System, as well as a detailed examination of all computer programs and files to be converted. However, while staff additions at the rate of (say) 60 to 100 per year are not unheard of, such growth is difficult. We conclude that the staffing levels are attainable with a concerted effort but that the training requirements will be extremely burdensome. It is our understanding that the IRS is addressing these training requirements. It was mentioned previously that at the peak level of the program, the transi-

3For example, computer programmers and analysts assigned to a work section may or may not work on a project task on any given day, and funds used for project construction are not under the control of the project manager.


TRANSITION

37

tion costs may reach $2 million per month; thus, a three month slippage in the schedule can increase the project's costs by a maximum of $6 million. Given the program's complexity and duration, situations that may contribute to delays are almost certain to arise. We urge insuring against such an eventuality as suggested by the means discussed earlier. Each action will require an investment in additional resources, or at least the reallocation of funds. Project Master Schedule and Detailed Planning The Committee supports the concept of a single approved master schedule for the project. The master schedule would identify all key project activities and be supported by detailed schedules and planning in all project areas, but could not be altered without approval of the project manager. The master schedule would show relationships among project activities, allow concurrent actions as appropriate, and identify the project's critical path. The Committee recommends that the Systems Development Office maintain and periodically review its master plan and the necessary project reporting procedures to ensure a steady flow of management information.

Management information will be essential to support such a master schedule, so that progress can be monitored. The Committee recommends that contingency plans be developed for the circumstances most likely to raise difficulties with the project system performance, schedule, or cost.

Schedule delays can result from any of a number of events, and are normally accompanied by cost increases. The project manager should plan in advance for the most likely impacts by providing alternate courses of action, provision for the use of outside help, and financial management reserves. The Systems Development Office should consider retaining an outside contractor, experienced in project management and in setting up and maintaining a project control system, to review the system that the IRS now has in place. Such a contractor should provide staff who have actually managed a project control office. Their experience and their disinterested, unbiased assessment of the project's status and progress will be invaluable to the senior officers of the IRS. The Systems Design and Programming Division should contract on a retainer basis for the services of a large, experienced software contractor to augment its resources (within existing civil service regulations) on demand at short notice, in case of unanticipated delays in the program conversion. The Systems Design and Programming Division should assign two or three competent project leaders from the contractor's staff, as full-time members (not necessarily as project leaders) of certain key teams on the project, as may be consistent with civil service regulations. This will allow them to become fully familiar with the project and develop hands-on experience in key tasks. If and when problems develop and delays materialize, additional resources from the contractor's larger pool can be called upon. The contractor's project managers will already be on the job and thus be able to augment the IRS's own resources with a minimum of delay.


TRANSITION

38

Independent Testing and Evaluation In all major projects, testing and evaluating the products produced is a task of great importance and a possible source of conflict. In the Service Center Replacement System effort, testing and evaluation are particularly important, due to the large amount of software to be produced, and also to the fact that new systems must go immediately into key IRS operational functions. The Committee recommends that the IRS evaluate the desirability of contracting with a firm that is expert in testand-evaluation operations, either to undertake the actual test-and-evaluation or to ensure the adequacy of the testand-evaluation procedures developed by the IRS.

Project Documentation Project documentation is frequently slighted in both planning and implementation phases. Adequate project documentation is costly in money and in technical effort, but failure to provide it can prove even more costly in the long run, create substantial schedule delays, and introduce unnecessary added risks. The Committee recommends that a project documentation tree be specified by the Systems Development Office. The documentation tree should name all required specifications, test documents, manuals, handbooks, and reports.

Each item required by the documentation tree should be described in form and content, and assigned to an organizational element for preparation and revision. The IRS Service Center Replacement System project is large and complex, and work on it will be conducted by different groups throughout the country. To produce specifications for the new system, it may be necessary to update or even create the documentation for the old system. This could be a substantial and unrecognized task. Impact of a Higher Level Language The IRS computer systems are dynamic and are expected to undergo frequent changes in the future. The planned change from assembly language to the higher level language COBOL is necessary and technically feasible, but it is not without risk. The current IRS Service Center programs are in assembly language and can thus be expected to have advantages in terms of program size and processor response over corresponding programs in COBOL. The effects are not precisely known. However, in the Request for Proposal solicitation, the IRS has estimated that file size will increase by 50 percent and that the burden on the central processing unit will increase by 300 percent. Changes in system response time may also occur as a result of the change from assembly language to a higher level language. Any slowing of system response due to language changes can be partially offset by newer, faster hardware. We recommend that the IRS staff continue to study the response time issue and estimate by mathematical analysis, simulation, or tests the likely effects on the performance of the computer system.


TRANSITION

39

The Committee believes the change in language will prove to be a mixed blessing. The ability of the IRS to make fast changes to computer programs will be improved, but the need for faster hardware and additional memory (especially to maintain the response required by the IRS) may introduce significant hardware costs, especially in memory. Although analysis will provide some knowledge about the impact of COBOL, hard information will not be available until some tests have been conducted. As test data become plentiful, system design personnel can better identify system performance parameters and make design changes if necessary. Also, if necessary to ensure rapid system response, small portions of the programs could be retained in assembly language with little or no impact on program change issues. The Committee recommends that the IRS investigate the availability of a program translator to aid in the conversion of programs from assembly language to a higher level language.

Some success has been obtained in the use of translators, and the IRS should examine a number of the approaches developed by industry.4 With the aid of experienced personnel and the use of translators, large portions of assembly programs may be convertible to COBOL or near-COBOL by an automated operation. Success in the use of translators could result in worthwhile savings in manpower during the conversion. THE NATIONAL COMPUTER CENTER Although the Committee addressed only the Service Center Replacement System, many of the same cautions and recommendations are clearly pertinent to equipment replacement and software conversion actions that will occur at the National Computer Center. Furthermore, there is a technological option available that seems not to have been considered by the IRS. Although networking as an overall nationwide system architecture is for various reasons not now acceptable, networking of the several computers within the National Computer Center is permissible, provided that electrical connections to the external world do not exist. As the various computer systems of the National Computer Center are replaced by more modern ones, the IRS should consider networking them to achieve such advantages as: • • • •

4For

Better and more automated work flow Better overall availability of computing power Less need for operator intervention and manual operation Ready backup among individual systems.

example, two large insurance companies have used such translators, one as early as 1976, for this purpose.


TRANSITION 40


APPENDIX A

41

Appendix A LEGISLATIVE OVERVIEW

THE PRIVACY ACT OF 1974 (5 U.S.C. SECTION 552) The Privacy Act of 1974 was passed to safeguard individual privacy from the misuse of federal records and to grant individuals access to federal records concerning themselves. The Act provides that, in most cases, information gathered for one purpose cannot be used for another without the consent of the subject of the record. In addition, individuals have the right to request changes of records they believe are inaccurate, irrelevant, untimely, or incomplete. The Privacy Act is the only one of the three described in this appendix that circumscribes the information that can be collected and establishes criteria for its use. Specifically, the most important provisions of the Act relating to `privacy” would, with certain exceptions, require each agency to: 1.

2.

3.

4. 5.

Limit disclosure of information to those persons designated by the subject of the record or as otherwise provided by statute.1 The agency must maintain a record of all disclosures; with certain exceptions, it must be available to the individual. Allow the individual, upon request, to gain access to any information pertaining to him and allow the individual to request amendment of any record.2 If the agency refuses to amend a record, the individual may request a review of the decision. If unsuccessful, he can file a statement of disagreement which requires the agency to annotate any disputed portions. Maintain only information that is relevant and necessary to accomplish a purpose mandated by statute or executive order and maintain any information used to make determinations with such accuracy, relevance, timeliness, and completeness as to assure fairness in the decisionmaking. Publish annually a description of the system of records on individuals maintained by the agency. Establish appropriate safeguards to ensure record security and establish rules of conduct for agency personnel involved in recordkeeping.

The Privacy Act also establishes a system whereby the head of an agency can exempt an entire system of records from disclosure where the information relates

1The statute provides for eleven situations in which disclosure can be made without the consent of the individual in question. Among them are:

a. To employees within the agency which maintains the records, or the General Accounting Office, in order to perform their duties, b. As required by the Freedom of Information Act. c. For a routine use. d. For certain census, statistical, or historical purposes, e. For civil or criminal law enforcement activities if authorized by law. f. Due to compelling health or safety needs, g. To Congress, h. Pursuant to court order. 2An

exception to this section is made for information gathered in anticipation of a civil action.


APPENDIX A

42

to criminal law enforcement, national security, foreign policy, or qualifications for federal employment; or is used for statistical or archival purposes. Finally, the Act prescribes civil and criminal penalties for failure to comply with its provisions. THE TAX REFORM ACT OF 1976 (I.R.C. SECTIONS 6103, 6110) The Tax Reform Act of 1976, notably Sections 6103 and 6110, reflects Congressional balancing of the needs of particular agencies for tax information against the citizen's right to privacy, plus the effect disclosure would have on our voluntary tax assessment system. A. Section 6103 Under the Privacy Act and the former Section 6103, government agencies could receive tax information from the IRS by simply showing an official need for the information. The Tax Reform Act, recognizing the uniquely private nature of tax information, makes access to information more difficult by declaring that `returns and return information” (as defined in the statute)3 are confidential and can be disclosed only as provided by statute. Disclosure of returns and return information is permitted under Section 6103 in the following circumstances:4 1. To Congressional committees or the President upon written request by specified committee officials or by the President. 2. For tax administration purposes: to Treasury and Justice Department employees, to judicial or administrative proceedings, and to others in specifically prescribed circumstances. 3. For state tax administration purposes: to state but not local agencies, following a showing that the information is needed for tax purposes and will be used during the year received. 4. For nontax criminal investigations: information obtained directly from the taxpayer or his representative is disclosable to another agency only after obtaining an ex parte order from a federal judge. Information gathered by the IRS during an examination or investigation may be disclosed to another agency when the information is necessary to pursue a federal criminal investigation and the request comes from the agency head (in the case of the Justice Department, the Attorney General, Deputy Attorney General, or an Assistant Attorney General). The Secretary is also authorized to disclose return information, other than taxpayer return information,5 which is evidence of a violation of federal crime to the extent necessary to inform the head of the agency charged with enforcing such laws.6

3Return and return information are defined supra. Note that within the term `return information” is ànypart of any written determination or any background file document…which is not open to public inspection under section 6110.” In addition, return information does not include data in a form that `cannot be associated with or otherwise identify, directly or indirectly, a particular taxpayer.” 4This list describes the major situations in which disclosures are permitted but is not exhaustive. 5Taxpayer return information is defined as return information `filedwith or furnished to the Secretary by or on behalf of the taxpayer.” 6Currently pending before Congress are several bills that would amend Section 6103 insofar as it relates to IRS disclosure of returns and return information to other federal agencies for use in nontax investigations. These bills, if enacted, would allow for greater disclosure in certain circumstances. Some of these proposals would maintain the requirement of a court order for the disclosure of actual tax returns but eliminate the requirement for other tax information; permit disclosure without a court order for tax information relating to entities that are not individuals (e.g., corporations); limit the penalties for unauthorized disclosures due to a good faith but erroneous interpretation of Section 6103; clarify and limit the standards for the issuance of the court orders currently required for disclosure; require mandatory disclosure to the Justice Department of tax information that may constitute evidence of a federal crime; expand the group of agency personnel authorized to request and make disclosures; or authorize the Justice Department or a U.S. attorney to disclose to state officials, pursuant to court order, information relevant to the violation of a state felony statute.


APPENDIX A

43

5. For statistical use: to the Departments of Commerce, Treasury, and the Federal Trade Commission. 6. For nontax civil purposes: to specified government agencies and bodies to aid in the administration of their programs. 7. Pursuant to taxpayer authorization: to the taxpayer himself or as provided by a written designation unless the Secretary determines that such disclosure would seriously impair federal tax administration. The Act specifically prohibits redisclosure of information by recipient agencies, and the IRS is charged with assuring that these agencies safeguard tax information to prevent unauthorized disclosure. The IRS must report each quarter to Congress the safeguards used by such recipient agencies. Section 6103 also requires that after using the information, the recipient agency must either return it to the IRS or render it undisclosable. In addition, Section 6103 requires the IRS to maintain a record of information disclosure and report this information to the Congress annually. B. Section 6110 Section 6110 establishes the general rule that any `written determination,”7 along with its `background file documents,” are to be available for public inspection.8 Under Section 6110 certain information is required to be deleted from these publicly available documents including: identifying details of the person to whom the document pertains and of most other persons; information specifically authorized to be kept secret in the interest of national security or foreign policy; information specifically exempted by statute from disclosure; privileged or confidential trade secret, commercial, or financial information; and disclosure of information which would constitute a `clearly unwarranted invasion of personal privacy.” Disclosure of the identity of the subject of a written determination is limited to specific cases and can be made only pursuant to a court order. Section 6110 also provides for notice to the subject of a `written determination” of any intention to disclose the written determination or background documents. Any person who has an interest in maintaining the confidentiality of such information may contest disclosure, nondisclosure, or nondeletion of portions of such documents prior to disclosure. The statute also provides for procedures to obtain additional disclosures. Section 6110 specifically states that the Internal Revenue Code shall provide the exclusive means by which the IRS shall be required to make available, or to refrain from disclosing, any written determination or background file documents.9

7A

`written determination” is defined by statute to be a `ruling, determination letter, or technical advice memorandum.” of this information is to be made generally available in a public reading room, while other information is disclosable only pursuant to a written request. 9An exception to this general rule is made for a discovery order granted in connection with a judicial proceeding. 8Certain


APPENDIX A

44

THE FREEDOM OF INFORMATION ACT (5 U.S.C. SECTION 552) The Freedom of Information Act requires federal agencies to make available to the public certain types of information maintained by the agencies. Specifically, the information which must be disclosed includes:10 1.

Descriptions of each agency's organization, general methods of operation, and policies. This includes substantive and procedural rules, statements of policy, administrative staff manuals, and staff instructions that might affect a member of the public, and information describing how the public can gain access to the agencies for information or submittals. 2. Final opinions, including concurring and dissenting opinions, as well as orders made in the adjudication of cases. To prevent a `clearly unwarranted invasion of personal privacy,” an agency may delete identifying details or statements of policy, opinions, interpretations, or staff manuals. The Freedom of Information Act specifically exempts from its disclosure requirements information that is in the Agency's opinion: 1. Information authorized by executive order to be kept secret in the interest of national security or foreign policy, or is specifically exempted by a statute that either forecloses without discretion public disclosure or establishes particular criteria for withholding information; 2. Trade secret and commercial or financial information that is privileged or confidential; 3. Information related solely to internal personnel rules, or consisting of interagency or intraagency memorandums or letters that would generally not be available to a party in litigation with the agency; 4. Personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy; 5. Certain investigative records compiled for law enforcement purposes where disclosure would, inter alia, interfere with enforcement proceedings or investigations, constitute an unwarranted invasion of personal privacy, or endanger the life or safety of law enforcement personnel; or 6. Information related to financial institutions or geological or geophysical information. The Act also requires each agency to submit an annual report to Congress on compliance. The Tax Reform Act does not conflict with access to data under the Freedom of Information Act because section (b) (3) of the latter permits withholding information that is specifically exempted from disclosure by statute. To the extent that Section 6103 specifically exempts disclosure of returns and return information, such information need not be disclosed pursuant to the Freedom of Information Act, Section 6110.11 With respect to written determinations and background file

10Some of this information is required to be published in the Federal Register while other information must simply be made available for public inspection and copying. The Act applies to computer tapes to the same extent as other documents. U.S. v. Garber, 589 F.2d 843 (5th Cir. 1979). 11There still remains some question of what information will be considered `return and return information.” See the decision of Long v. IRS in footnote 13.


APPENDIX A

45

documents, Section 6110 preempts the Freedom of Information Act and provides that Section 6110 is the exclusive means for obtaining disclosure of such documents. COURT RESOLUTION OF CONFLICTS AND OVERLAPS IN THE STATUTORY AUTHORITY The three federal acts dealing with privacy and access to federal records clearly overlap in several respects. Most obviously, the Privacy Act, which generally limits disclosure of records concerning individuals, has a specific exemption for information required to be disclosed under the Freedom of Information Act. In addition, the Freedom of Information Act, which was enacted to provide greater public access to information maintained by federal agencies, permits agencies to deny access where, inter alia, the information is specifically exempted from disclosure by another statute; consists of personnel or similar files the disclosure of which would constitute a `clearly unwarranted invasion of personal privacy”; or contains trade secrets and commercial information obtained from a person; or is privileged or confidential. Finally, the Internal Revenue Code, Section 6110, states that it is the exclusive disclosure provision applicable to written determinations and background file documents. A. The Tax Reform Act and the Freedom of Information Act In enacting the 1976 Tax Reform Act, Congress displaced, for the most part, the Freedom of Information Act with respect to disclosure of tax returns, return information, written determinations and background file documents. The federal courts have attempted to reconcile the two by stating that Section 6103 falls within the latter's exception for a statute which `(A)requires that matters be withheld from the public in such a manner as to leave no discretion on the issue, or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld.”12 Therefore, any information that falls under the definition of `return and return information” as defined in the Tax Reform Act falls into a Freedom of Information Act disclosure exception.13 The cases reaching this conclusion all involved an attempt by an agency to withhold information under some relevant exception. The Supreme Court recently held that such exceptions are permissive.14 Therefore, while the disclosure provi-

12Breuhaus v. I.R.S., 609 F.2d 80, 82 (2d Cir. 1979); Chamberlain v. Kurtz, 589 F.3d 827, 839 (5th Cir. 1979); Freuhauf Corp. v. I.R.S., 566 F.2d 574, 578 (6th Cir. 1978); Kanter v. I.R.S., 478 F.Supp. 552, 556 (N.D. Ill, 1979); Grenier v. U.S. I.R.S. 449 F.Supp 834, 840 (D. Md. 1978). 13A recent decision indicates that `return and return information” may be interpreted narrowly. In Long v. IRS, 596 F.2d 362 (9th Cir. 1979), the court held that the source materials for the IRS Tax Compliance Measurement Program may be disclosable under the FOIA if such disclosure would not entail a `significant risk of indirect identification.” The source material requested under the FOIA included check sheets and computer tapes derived from each individual tax return, but with all information identifying individual taxpayers deleted. The court sent the case back to the trial court for a determination of whether the disclosure would risk indirect identification. The Internal Revenue Service has stated that the Long decision could have a severe negative impact on the Service's ability to effectively administer the tax laws and could also have an adverse impact on the confidentiality and privacy protections of the code. The exemption could also work to bar a taxpayer's access to his own files where the IRS makes a determination under Section 6103 that disclosure would impair federal tax administration. Chamberlain v. Kurtz, 589 F.2d 827, 840 (5th Cir. 1979). 14Chrysler Corp. v. Brown, 441 U.S. 281 (1978).


APPENDIX A

46

sions of the Act are mandatory, each agency has discretion in deciding whether to release information that falls under a Freedom of Information Act exception. The Supreme Court in a footnote points out that the Act is distinguishable from the Privacy Act, which mandatorily restricts disclosure of certain records. However, the mandatory restrictions of Section 6103 would presumably be analogous to the Privacy Act and despite the FOIA's permissive exceptions, IRC Section 6103 would bar disclosure under the Freedom of Information Act of those returns and return information the agency was in favor of disclosing. In fact, while there has been no case directly involving a situation in which an agency was in favor of disclosure of materials which qualified for a Section 6103 exemption, several decisions indicate that `returns and return information” would be barred from disclosure even if the agency favored such disclosure. One court attempted to reconcile Section 6103 and the Act in light of the fact that the latter's exceptions were passed by Congress three weeks before Section 6103. It held that the more specific statute should govern the general statute and therefore Section 6103 must be the sole standard governing the release of tax return information.15 Another court held that return and return information must not be disclosed under the Freedom of Information Act leaving no discretion to the agency. The most recent decision in this area stated that àccess to tax materials is governed solely by the dictates of the Internal Revenue Code.”16 Once a return or return information has been made public (i.e., released to a court for judicial proceedings), neither regains its confidential nature upon return to the I.R.S.17 since information made public no longer can fall under a Freedom of Information Act exception. This is consistent with the general policy to construe its exceptions narrowly. It is clear that with respect to written determinations and background file documents, Congress intended that Internal Revenue Code Section 6110 provide the exclusive means of public access, other than through pretrial discovery.18 Written determinations that are exempted from public disclosure under Section 6110 are confidential and nondisclosable under Section 6103, and, as a result, are exempt from the Freedom of Information Act.19 Therefore, Congress effectively foreclosed resort to the latter's procedures for those documents within the Section 6110 definition of `written determinations” and `background file documents.” B. The Privacy Act and the Freedom of Information Act There is also an apparent conflict between the protections against disclosure in the Privacy Act and the policy in favor of disclosure permitted by the Freedom of Information Act. However, the Privacy Act expressly defers to the mandatory disclosure requirements of the latter. The Privacy Act states that agencies can disclose records without the consent of the individual involved where so required

15Zale

Corporation v. U.S. I.R.S., 481 F.Supp. 486, 490 (D.D.C. 1979). Busch, Inc. v. IRS, 481 F.Supp. 486 (D.D.C. 1980 C.A. No. 78–1326 July 24, 1980). 17Cooper v. IRS, 450 F.Supp. 752, 754 (D.D.C. 1977). 18Freuhauf Corp. v. IRS, 566 F.2d 574, 576–77 (6th Cir. 1977); Grenier v. U.S. I.R.S., 449 F.Supp. 834, 839 (D. Md. 1978); Conway v. U.S. I.R.S., 447 F.Supp. 1128, 1131 (D.D.C. 1978). Section 6110 was passed by Congress in response to several cases in which plaintiffs sought the release under the Freedom of Information Act of certain written determinations and related documents. 19Grenier, 449 F.Supp. at 840. 16Anheuser


APPENDIX A

47

by the Act. Several courts have noted that where information must be disclosed under it, that information can be made public even though otherwise protected by the Privacy Act, but where the Act allows for agency discretion in disclosing the information, the Privacy Act would prevent disclosure unless the agency complies with the Privacy Act consent requirements.20 It is therefore fairly clear that the Privacy Act will not protect against disclosure of information required to be disclosed under the Freedom of Information Act.21 With respect to information which an individual seeks to have released under the Privacy Act, one court has noted that the Act exemptions from disclosure do not provide grounds for withholding material available under the Privacy Act.22 However another court stated that material actually withheld by an agency pursuant to an exception under the Act is appropriately withheld under the Privacy Act as well.23 Thus, there appears to be an unresolved conflict with respect to information that falls within an exemptionfrom-disclosure provision of the Freedom of Information Act but which an individual wants released under the Privacy Act. The issue will probably not arise with respect to tax returns, return information, written determinations, or background file documents, since the Internal Revenue Code sections will almost always be held to provide the sole standards of disclosure for such tax materials.

20Florida Med. Assoc. v. Dept. of Health, Ed., and Welfare, 479 F.Supp. 1291, 1306 (M.D. Fla. 1979); Plain Dealer Publishing Co. v. U.S. Dept. of Labor, 471 F.Supp. 1013 (D.D.C. 1979); Providence Journal Co. v. FBI, 460 F.Supp. 762, 767 (D. R.I. 1978). 21It should be noted that another court recently stated that the Freedom of Information Act cannot compel disclosure of information the Privacy Act clearly contemplates to be exempt. In that case an agency exempted from disclosure an entire system of records as permitted under the Privacy Act. Terkel v. Kelly, 599 F.2d 214, 216 (7th Cir. 1979). 22Irons v. Bell, 596 F.2d 468, 470 (1st Cir. 1979). 23Prouidence Journal Co. v. FBI, 460 F.Supp. 762, 767 (D. R.I. 1978).


APPENDIX B

48

Appendix B BRIEFINGS AND DOCUMENTS PROVIDED TO THE COMMITTEE

BRIEFINGS 1.

Subject General Introduction and Orientation

2.

The Integrated Data Retrieval System; Service Center Operations; Privacy Act of 1974; Tax Reform Act of 1976; Freedom of Information Act of 1968

3.

Site visit to Atlanta Service Center; Cost—Benefit Analysis of TAS (Tax Administration System); Original Justification for Integrated Data and Retrieval System Microfilm Replacement Program; Program Integrity; Internal Audit; IRS Telecommunications; Systems Programming

4. 5.

Site Visit to National Computer Center

6.

Possible Changes to IRS Schedule

Place IRS National Office, Washington, D.C. October 10, 1979 National Research Council, Washington, D.C. December 12, 1979 Atlanta, Georgia February 20–21, 1980 IRS National Office, Washington, D.C. April 16, 1980 Martinsburg, W.Va. April 17, 1980 National Research Council, Washington, D.C. June 18, 1980

DOCUMENTS REVIEWED 1. 2. 3. 4. 5. 6.

Highlights on Organization and Functions of the Internal Revenue Service (IRS). Internal IRS Document, September 1979. Automatic Data Processing (ADP) in IRS. Internal IRS Document, September 1979. IRS Organization Chart. Internal IRS Document, September 1979. IRS Security/Privacy Programs. Internal IRS Document, October 1979. Inventory of Current Service Center and National Computer Center Equipment. Internal IRS Document, September 1979. Equipment Replacement Program Management Plan. Internal IRS Document, September 1979.


APPENDIX B

7.

8. 9. 10. 11. 12. 13. 14.

15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29.

49

Summaries of General Accounting Office Reports as follows: (a) A Proposed Automated Tax Administration System for IRS, November 22, 1976; (b) Safeguarding Taxpayer Information, January 17, 1977; (c) IRS Security Program Requires Improvements to Protect Confidentiality of Income Tax Information, July 1, 1977; (d) An Analysis of IRS Proposed Tax Administration System: Lessons for the Future, March 1, 1978. Office of Technology Assessment Summary Report, A Preliminary Analysis of the IRS Tax Administration System, March 1977. TAS Privacy Issues & Their Relationship to Current Plans. Internal IRS Document, November 28, 1978. 3/79 Equipment Replacement Program Milestone. Internal IRS Document, March 1979. Letter of December 20, 1977 to Office of Management and Budget from Senate Judiciary Committee Members. Internal IRS Document. Brooks Committee Correspondence. Internal IRS Document, May 2, 1978. Chart—Present Computer System. Internal IRS Document, October 1979. Thirteenth Report by the Committee on Government Operations: A Citizen's Guide on How to Use the Freedom of Information Act and the Privacy Act in Requesting Government Documents. U.S. Government Printing Office, Washington, D.C., 1977. Privacy Act of 1974. Internal IRS Document (Document 6372, rev. November 1978). 2050A Applications from Feasibility Study. Internal IRS Document, December 1979. Integrated Data Retrieval System. Publication 785, Internal Revenue Service (Rev. January 1976). Service Center Pipeline System (H2050A). Internal IRS Document, undated. Chart—NCC Weekly Master File Processing Flow. Internal IRS Document, October 1979. Systems Analysis Special Study on: Current CDC 3500 Applications. Internal IRS Document, October 1979. `Viewpoint—How Confidential is the Tax Return?”, The Tax Advisor, American Institute of Certified Public Accountants, February 1979. CY-1978 Volume of Disclosures of Tax Returns and/or Tax Return Information. Internal IRS Document, undated. Internal Revenue Code Section 6103, Confidentiality and Disclosure of Returns and Return Information, Commerce Clearing House, 1978. Master File Data as of cycles: 7904, 7908, 7913, 7917, 7930, 7935, 7939, and 7943. Internal IRS Document, undated. Feasibility Study on Service Center Replacement System. Internal IRS Document, October 1979. Equipment Replacement Program, Transition Plan—Level IV. Internal IRS Document, February 8, 1980. Service Center Replacement System. Request for Proposals Solicitation No. IRS-80–38 (2/80) March 11, 1980. Report on IDRS Response Time/Capacity Analysis. Internal IRS Document, February 1980. A Review of the Data Management System of the Social Security Administration. National Academy of Sciences, Washington, D.C., 1978.


APPENDIX B

50

30. A Second Review of the Data Management System of the Social Security Administration. National Academy of Sciences, Washington, D.C., 1979. 31. Circular A-109, Office of Management and Budget, Executive Office of the President, April 5, 1976. 32. Database Management Systems—Without Careful Planning There Can Be Problems. General Accounting Office, Washington, D.C., 1979. 33. Information Technology and Governmental Reorganization: Summary of the Federal Data Processing Project National Technical Information Service, Springfield, Virginia, 1979. 34. Federal Data Processing Policies and Regulations. Office of Management and Budget, Washington, B.C., December 1978. 35. The Citizen as Taxpayer. U.S. Government Printing Office, Washington, D.C., 1977. 36. How Taxpayer Satisfaction with IRS Handling of Problem Inquiries Could be Increased. U.S. General Accounting Office, September 1979. 37. Executive Summary, Microfilm Systems Study, Computerized Alternatives. Internal IRS Document, April 1980. 38. Study of the Integrated Data Retrieval System—Comparing Benefits and Costs. Internal IRS Document, April 1980. 39. Actions Regarding GAO Recommendations. Internal IRS Document, April 1980. 40. IDRS Response Time Study. Federal Computer Performance Evaluation and Simulation Center, Washington, D.C., October 1979. 41. Programmers' Handbook for IBM Systems. Internal IRS Document, 1978– 1980.

Review of Tax Processing System Planning for the Internal Revenue Service - A Report to the Internal Revenue Service Department of the Treasury

Russia Revenue

The Theory and Practice of Revenue Management

Department of the Treasury Blueprint for Actions

Deja Review Internal Medicine

Knowledge Services Management: Organizing Around Internal Markets (Service Science: Research and Innovations in the Service Economy)

Service for the Dead

Service for the Dead

Service for the Dead

Service for the Dead

Service For The Dead

The Service of the Sword

The service of the sword

The Service of the Sword

Knowledge Services Management: Organizing Around Internal Markets (Service Science: Research and Innovations in the Service Economy)

The Service of the Sword

The service of the sword

Service For The Dead

Service for the Dead

Service for the

The Service of the Sword

Cecil Review of General Internal Medicine

Globalization, the internal dynamic

The Internal Clock

The Internal Auditing Handbook

The Internal Auditing Handbook

Regulating the Internal Market

Revenue Statistics 2010

The Complete System of Self-Healing: Internal Exercises

Internal Friction of Materials

Review of Tax Processing System Planning for the Internal Revenue Service - A Report to the Internal Revenue Service Department of the Treasury

Russia Revenue

The Theory and Practice of Revenue Management

Department of the Treasury Blueprint for Actions

Deja Review Internal Medicine

Knowledge Services Management: Organizing Around Internal Markets (Service Science: Research and Innovations in the Service Economy)

Service for the Dead

Service for the Dead

Service for the Dead

Service for the Dead

Service For The Dead

The Service of the Sword

The service of the sword

The Service of the Sword

Knowledge Services Management: Organizing Around Internal Markets (Service Science: Research and Innovations in the Service Economy)

The Service of the Sword

The service of the sword

Service For The Dead

Service for the Dead

Service for the

The Service of the Sword

Cecil Review of General Internal Medicine

Globalization, the internal dynamic

The Internal Clock

The Internal Auditing Handbook

The Internal Auditing Handbook

Regulating the Internal Market

Revenue Statistics 2010

The Complete System of Self-Healing: Internal Exercises

Internal Friction of Materials

Recommend Documents