90 FR 92 pgs. 20394-20396 - Privacy Act of 1974; Exempting a System of Records From Certain Requirements
Type: RULEVolume: 90Number: 92Pages: 20394 - 20396
Pages: 20394, 20395, 20396FR document: [FR Doc. 2025-08504 Filed 5-13-25; 8:45 am]
Agency: Treasury Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF THE TREASURY
31 CFR Part 1
RIN 1505-AC84
Privacy Act of 1974; Exempting a System of Records From Certain Requirements
AGENCY:
Internal Revenue Service, Department of the Treasury.
ACTION:
Final rule.
SUMMARY:
In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of the Treasury is issuing a final rule, exempting a new Internal Revenue Service (IRS) system of records (SOR) entitled "Department of Treasury/Internal Revenue Service-34.018, Insider Risk Management Records" from certain provisions of the Privacy Act. The IRS Insider Risk Management system was established for information collected in connection with the IRS Insider Risk program to identify potential threats to IRS resources and information assets and facilitate management of insider threat investigations, complaints, inquiries, and counterintelligence threat detection activities. Specifically, the Department exempts portions of this SOR from one or more provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements.
DATES:
This rule is effective on June 13, 2025.
FOR FURTHER INFORMATION CONTACT:
Chief Risk Officer, Internal Revenue Service, Office of the Chief Risk Officer, Enterprise Risk Management, 1111 Constitution Ave. NW, Washington, DC 20224-0002; telephone: (801) 612-4815.
SUPPLEMENTARY INFORMATION:
Background
The Department of Treasury (TREAS) Internal Revenue Service (IRS) published a notice of proposed rulemaking (NPRM) in the Federal Register , 89 FR 41912, (published May 14, 2024), proposing to exempt portions of the SOR from one or more provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements. The SOR is TREAS/IRS 34.018, Insider Risk Management Records, 89 FR 36851, (published May 3, 2024) and 89 FR 48219 (published correction June 5, 2024). The IRS Insider Risk Management program will use this SOR to identify potential threats to IRS resources and information assets and facilitate management of insider threat investigations, complaints, inquiries, and counterintelligence threat detection activities.
Treasury's IRS bureau published the new system of records notice (SORN) to explain the information is collected in connection with the implementation of the IRS Insider Risk program. Public comments were invited on both the NPRM and SORN.
Public Comments
Treasury received no comments for the new Treasury/IRS 34.018, Insider Risk Management Records SORN.
Treasury received one comment pertaining to the related NPRM prior to the close of the comment period on June 13, 2024. The commenter recommended that Treasury follow the Privacy Act but limit the use of the exemptions that are provided for within the Privacy Act. Treasury understands the commenter's views and concerns regarding the use of exemptions and the effects on privacy that may appear limit transparency and diminish some privacy protections. The Privacy Act provides for the use of exemptions for the permitted purposes of protecting individuals and maintaining the effectiveness and safety of operations which may be harmed if access to a specific individual's records is provided. Treasury and IRS ensure the use of exemptions for this SOR is limited to what is necessary and appropriate to further those purposes.
The remainder of the commenter's concern related to the use of the Regulations.gov website and were outside the scope of the proposed rule. Specifically, the comment raised concerns about Regulations.gov website utilizing Google Analytics Third-Party Tracking Cookies, without the users' knowledge or consent. Regulations.gov provides a link to their Privacy Policy and User Notice which address these concerns.
[top] In summary, Treasury appreciates the public comments and strives to be transparent regarding all Insider Threat collections and uses through publishing the SORN and Final Rule. After consideration of the public comments, Treasury has determined that it will implement the rulemaking as proposed.
Privacy Act
Treasury is hereby promulgating a final rule to exempt the IRS Insider Risk Management SOR from certain provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2) and (k)(5) and the authority vested in the Secretary of the Treasury described in 31 CFR 1.23(c).
Under 5 U.S.C. 552a(k)(2) (31 CFR 1.36), the head of any agency may promulgate rules to exempt any system of records within the agency from certain provisions of the Privacy Act if the system contains investigatory material compiled for law enforcement purposes that is not within the scope of 5 U.S.C. 552a(j)(2) (which applies to agencies and components thereof that perform as their principal function any activity pertaining to the enforcement of criminal laws).
The Treasury exempts "34.018, Treasury/IRS Insider Risk Management Records" from certain provisions of the Privacy Act of 1974, pursuant to 5 U.S.C. 552a(k)(2). The exemptions are from sections 552a(c)(3), (d)(1)-(4), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f) because the system contains investigatory material compiled for law enforcement purposes. The following are the reasons this system of records maintained by the IRS may be exempted pursuant to 5 U.S.C. 552a(k)(2):
(1) 5 U.S.C. 552a(c)(3) requires an agency to make accountings of disclosures of a record available to the individual named in the record upon their request. Any such accountings must state the date, nature, and purpose of each disclosure of the record and the name and address of the recipient. Applying this subsection could alert the subject of an investigation of an actual or potential criminal, civil, or regulatory violation to the existence of that investigation and reveal investigative interest on the part of the IRS. Disclosure of an accounting would therefore present a serious impediment to the IRS, Treasury, and other law enforcement agencies by permitting the subject of record to impede investigations, to tamper with witnesses or evidence, and to avoid detection or apprehension, which would undermine the entire investigative process. In the case of a delinquent account, such release might enable the subject of the investigation to dissipate assets before levy. When an investigation has been completed, information on disclosures made may continue to be exempted if the fact that an investigation occurred remains sensitive after completion.
(2) 5 U.S.C. 552a(d)(1), (e)(4)(H) and (f)(2), (3) and (5) grant individuals access to records pertaining to them. An exemption from these provisions is appropriate because providing access to such records could inform the subject of an investigation of an actual or potential criminal, civil, or regulatory violation to the existence of that investigation and reveal investigative interest on the part of the IRS or another bureau or agency. Access to the records could permit the subject of a record to impede the investigation, to tamper with witnesses or evidence, and to avoid detection or apprehension. In addition, permitting access to such information could disclose security-sensitive information that could be detrimental to the IRS. Agency rules are exempt from the individual access provisions of subsection 5 U.S.C. 552a for this system of records, therefore, the IRS and Treasury are not required to establish requirements, rules or procedures with respect to such access.
(3) 5 U.S.C. 552a(d)(2), (3) and (4), (e)(4)(H), and (f)(4) permit an individual to request amendment of a record pertaining to them and require the agency to provide notice on how to request an amendment, and provide procedures for reviewing, making determinations and the appeal process concerning amendments. Because these provisions depend on the individual having access to their records, and since this rule exempts the IRS system of records from the provisions of 5 U.S.C. 552a relating to access to records for the reasons set forth above, these provisions do not apply. Furthermore, an exemption from this requirement is appropriate because allowing individuals to amend certain records that pertain to them would interfere with the mechanism of ongoing investigations and law enforcement activities and would impose an unreasonable administrative burden by requiring investigations to be continually reinvestigated. In addition, permitting amendment to such information could disclose security-sensitive information that could be detrimental to the IRS.
(4) 5 U.S.C. 552a(e)(1) requires an agency to maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by statute or Executive order. Maintenance of information, as defined in 5 U.S.C. 552a(a)(3), includes the collection and dissemination of information. An exemption from this provision is therefore appropriate because its application would require the IRS to make determinations at the time of collection about the relevance and necessity of collected information. Speculative determinations about the relevance and necessity of collected information may be impossible to determine immediately, as information that initially appears irrelevant and unnecessary, often may prove particularly valuable, therefore application of this provision to the system of records could impair the Department's ability to collect, utilize and disseminate valuable law enforcement information.
(5) 5 U.S.C. 552a(e)(4)(G) and (f)(1) enable individuals to inquire whether a system of records contains records pertaining to them. An exemption from these provisions is appropriate because alerting individuals involved in illegal activity that the IRS has, or does not have, information that could lead to them being identified for investigation allows them to take steps to avoid detection, begin, continue, or resume illegal conduct upon learning that they are not identified in the system of records; or destroy evidence needed to prove the violation, all of which could undermine the IRS's ability to carry out its mission.
(6) 5 U.S.C. 552a(e)(4)(I) requires an agency to publish a general notice listing the categories of sources for information contained in a system of records. The application of this provision to the system of records could disclose investigative techniques and cause informants to refuse to give full information for fear their identities as sources could be disclosed, subjecting them to threats or reprisals. This could compromise the IRS's ability to complete or continue investigations or to share useful information to law enforcement agencies.
Treasury is also exempting "34.018 Treasury/IRS Insider Risk Management Records" from certain provisions of the Privacy Act of 1974, pursuant to 5 U.S.C. 552a(k)(5). The exemptions are from provisions 552a(c)(3), (d)(1)-(4), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f) because the system contains investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, Federal contracts, or access to classified information. The following are the reasons this system of records maintained by the IRS may be exempted pursuant to 5 U.S.C. 552a(k)(5):
[top] (1) The sections of 5 U.S.C. 552a from which the systems of records are exempt generally provide for individuals' access to or amendment of records. Such access may reveal the identity of a confidential source under an express promise that the source's identity would be held in confidence. This could hinder the IRS's ability to obtain future
(2) IRS claims the exemptions 5 U.S.C. 552a(j)(2) and (k)(2) if any investigatory material contained in the above-named system becomes involved in criminal or civil matters,
Regulatory Analysis
As required by Executive Order 12866, as amended, it has been determined that this final rule is not a significant regulatory action, and therefore, does not require a regulatory impact analysis.
The regulation will not have a substantial direct effect on the States, on the relationship between the Federal Government and the States, or on the distribution of power and responsibilities among the various levels of government. Therefore, it is determined that this final rule does not have federalism implications under Executive Order 13132.
Pursuant to the requirements of the Regulatory Flexibility Act, 5 U.S.C. 601-612, it is hereby certified that these regulations will not have a significant economic impact on a substantial number of small entities. The final rule imposes no duties or obligations on small entities.
In accordance with the provisions of the Paperwork Reduction Act of 1995, the Department of the Treasury has determined that this final rule would not impose new recordkeeping, application, reporting, or other types of information collection requirements.
List of Subjects in 31 CFR Part 1
Privacy.
The Department of the Treasury amends part 1 of title 31 of the Code of Federal Regulations as follows:
PART 1-DISCLOSURE OF RECORDS
1. The authority citation for part 1 continues to read as follows:
Authority:
5 U.S.C. 301, 552, 552a, 553; 31 U.S.C. 301, 321; 31 U.S.C. 3717.
2. Amend §?1.36 by:
a. In paragraph (g)(1)(vii), adding an entry to Table 16 to Paragraph (g)(1)(vii) in alpha-numeric order; and
b. In paragraph (k)(1)(iii), adding an entry to Table 23 to Paragraph (k)(1)(iii) in alpha-numeric order.
The additions read as follows:
§?1.36 Systems exempt in whole or in part from provisions of the Privacy Act and this part.
(g) * * *
(1) * * *
(vii) Internal Revenue Service.
| No. | Name of system |
|---|---|
| * * * * * * * | |
| IRS 34.018 | Treasury/IRS Insider Risk Management Records. |
| * * * * * * * |
(k) * * *
(1) * * *
(iii) Internal Revenue Service.
| No. | Name of system |
|---|---|
| IRS 34.018 | Treasury/IRS Insider Risk Management Records. |
| * * * * * * * |
Ryan Law,
Deputy Assistant Secretary Privacy, Transparency, and Records.
[FR Doc. 2025-08504 Filed 5-13-25; 8:45 am]
BILLING CODE 4810-AK-P