IRS sets the standard for protecting privacy
With a special tool designed to ensure that information is protected when new information systems are built, the IRS is setting the standard for federal agencies and other governments in protecting privacy in the age of electronic information.
In an interview with Government Executive, Peggy Irving, the IRS' privacy advocate, said the era of electronic records has people more concerned about privacy than ever before. "The public is more concerned about electronic records than paper records," she said, "especially because they can be sent globally in an instant."
Irving said it is important to ask who has access to sensitive information and to identify whether controls are in place to uphold privacy policies, especially when numerous databases are connected with one another across agency boundaries as a result of new initiatives to share information.
Since taking over the position in 1999, Irving has created a privacy impact assessment (PIA), which the IRS uses to help design new information systems under its massive Business Systems Modernization program. "The IRS uses the PIA to ultimately review what information should be collected and why it should be collected," Irving said. "It also asks if the information is relevant and from the most timely and accurate source."
The PIA asks a series of questions designed to ensure privacy protection is designed into new information systems and to ensure that only the least amount of personal information is collected. "Identity theft has become an issue," Irving said. "We analyze every IRS form and scrub them to make sure the agency is only asking for the information we absolutely need."
Irving's work at the IRS has not gone unnoticed. The federal Chief Information Officer's Council has called the PIA a best practice. Other federal agencies have come to the IRS for advice on privacy standards and assessments, as have businesses and foreign governments.
Irving is not hesitant to share the PIA. She has met with representatives from the FBI, the Coast Guard and the Navy to discuss the best practices embodied by the tool. "The FBI immediately saw the rightness of the PIA…[the agency] really does want to assure the public and encourage cooperation," she said.
In 1993, the IRS became the first federal agency to have a privacy advocate. Irving took over the position in 1999 after working on privacy and disclosure issues at the Justice Department for more than 20 years. She said the Department of Health and Human Services was the next agency to create the position, since Americans are as concerned about the privacy of their medical information as they are about their financial information.
The positions of privacy advocate and chief privacy officer have since become more prevalent in both the public and private sectors. To date, such companies as Hewlett-Packard Co., IBM Corp. and Proctor & Gamble Co. have created privacy advocate positions. Agencies including the Justice Department and the Postal Service have also appointed privacy advocates. Irving's office has grown from a staff of three to a staff of 12, reflecting the premium the IRS puts on privacy, she said.