Privacy Act of 1974; Exempting a System of Records From Certain Requirements

Issuing agencies

Abstract

In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of the Treasury is issuing a final rule, exempting a new Internal Revenue Service (IRS) system of records (SOR) entitled "Department of Treasury/Internal Revenue Service-- 34.018, Insider Risk Management Records" from certain provisions of the Privacy Act. The IRS Insider Risk Management system was established for information collected in connection with the IRS Insider Risk program to identify potential threats to IRS resources and information assets and facilitate management of insider threat investigations, complaints, inquiries, and counterintelligence threat detection activities. Specifically, the Department exempts portions of this SOR from one or more provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 92 (Wednesday, May 14, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 92 (Wednesday, May 14, 2025)]
[Rules and Regulations]
[Pages 20394-20396]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-08504]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

31 CFR Part 1

RIN 1505-AC84


Privacy Act of 1974; Exempting a System of Records From Certain 
Requirements

AGENCY: Internal Revenue Service, Department of the Treasury.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the Department of the Treasury is issuing a final 
rule, exempting a new Internal Revenue Service (IRS) system of records 
(SOR) entitled ``Department of Treasury/Internal Revenue Service--
34.018, Insider Risk Management Records'' from certain provisions of 
the Privacy Act. The IRS Insider Risk Management system was established 
for information collected in connection with the IRS Insider Risk 
program to identify potential threats to IRS resources and information 
assets and facilitate management of insider threat investigations, 
complaints, inquiries, and counterintelligence threat detection 
activities. Specifically, the Department exempts portions of this SOR 
from one or more provisions of the Privacy Act because of criminal, 
civil, and administrative enforcement requirements.

DATES: This rule is effective on June 13, 2025.

FOR FURTHER INFORMATION CONTACT: Chief Risk Officer, Internal Revenue 
Service, Office of the Chief Risk Officer, Enterprise Risk Management, 
1111 Constitution Ave. NW, Washington, DC 20224-0002; telephone: (801) 
612-4815.

SUPPLEMENTARY INFORMATION:

Background

    The Department of Treasury (TREAS) Internal Revenue Service (IRS) 
published a notice of proposed rulemaking (NPRM) in the Federal 
Register, 89 FR 41912, (published May 14, 2024), proposing to exempt 
portions of the SOR from one or more provisions of the Privacy Act 
because of criminal, civil, and administrative enforcement 
requirements. The SOR is TREAS/IRS 34.018, Insider Risk Management 
Records, 89 FR 36851, (published May 3, 2024) and 89 FR 48219 
(published correction June 5, 2024). The IRS Insider Risk Management 
program will use this SOR to identify potential threats to IRS 
resources and information assets and facilitate management of insider 
threat investigations, complaints, inquiries, and counterintelligence 
threat detection activities.
    Treasury's IRS bureau published the new system of records notice 
(SORN) to explain the information is collected in connection with the 
implementation of the IRS Insider Risk program. Public comments were 
invited on both the NPRM and SORN.

Public Comments

    Treasury received no comments for the new Treasury/IRS 34.018, 
Insider Risk Management Records SORN.
    Treasury received one comment pertaining to the related NPRM prior 
to the close of the comment period on June 13, 2024. The commenter 
recommended that Treasury follow the Privacy Act but limit the use of 
the exemptions that are provided for within the Privacy Act. Treasury 
understands the commenter's views and concerns regarding the use of 
exemptions and the effects on privacy that may appear limit 
transparency and diminish some privacy protections. The Privacy Act 
provides for the use of exemptions for the permitted purposes of 
protecting individuals and maintaining the effectiveness and safety of 
operations which may be harmed if access to a specific individual's 
records is provided. Treasury and IRS ensure the use of exemptions for 
this SOR is limited to what is necessary and appropriate to further 
those purposes.
    The remainder of the commenter's concern related to the use of the 
<a href="http://Regulations.gov">Regulations.gov</a> website and were outside the scope of the proposed 
rule. Specifically, the comment raised concerns about <a href="http://Regulations.gov">Regulations.gov</a> 
website utilizing Google Analytics Third-Party Tracking Cookies, 
without the users' knowledge or consent. <a href="http://Regulations.gov">Regulations.gov</a> provides a 
link to their Privacy Policy and User Notice which address these 
concerns.
    In summary, Treasury appreciates the public comments and strives to 
be transparent regarding all Insider Threat collections and uses 
through publishing the SORN and Final Rule. After consideration of the 
public comments, Treasury has determined that it will implement the 
rulemaking as proposed.

[[Page 20395]]

Privacy Act

    Treasury is hereby promulgating a final rule to exempt the IRS 
Insider Risk Management SOR from certain provisions of the Privacy Act 
pursuant to 5 U.S.C. 552a(k)(2) and (k)(5) and the authority vested in 
the Secretary of the Treasury described in 31 CFR 1.23(c).
    Under 5 U.S.C. 552a(k)(2) (31 CFR 1.36), the head of any agency may 
promulgate rules to exempt any system of records within the agency from 
certain provisions of the Privacy Act if the system contains 
investigatory material compiled for law enforcement purposes that is 
not within the scope of 5 U.S.C. 552a(j)(2) (which applies to agencies 
and components thereof that perform as their principal function any 
activity pertaining to the enforcement of criminal laws).
    The Treasury exempts ``34.018, Treasury/IRS Insider Risk Management 
Records'' from certain provisions of the Privacy Act of 1974, pursuant 
to 5 U.S.C. 552a(k)(2). The exemptions are from sections 552a(c)(3), 
(d)(1)-(4), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and (f) because 
the system contains investigatory material compiled for law enforcement 
purposes. The following are the reasons this system of records 
maintained by the IRS may be exempted pursuant to 5 U.S.C. 552a(k)(2):
    (1) 5 U.S.C. 552a(c)(3) requires an agency to make accountings of 
disclosures of a record available to the individual named in the record 
upon their request. Any such accountings must state the date, nature, 
and purpose of each disclosure of the record and the name and address 
of the recipient. Applying this subsection could alert the subject of 
an investigation of an actual or potential criminal, civil, or 
regulatory violation to the existence of that investigation and reveal 
investigative interest on the part of the IRS. Disclosure of an 
accounting would therefore present a serious impediment to the IRS, 
Treasury, and other law enforcement agencies by permitting the subject 
of record to impede investigations, to tamper with witnesses or 
evidence, and to avoid detection or apprehension, which would undermine 
the entire investigative process. In the case of a delinquent account, 
such release might enable the subject of the investigation to dissipate 
assets before levy. When an investigation has been completed, 
information on disclosures made may continue to be exempted if the fact 
that an investigation occurred remains sensitive after completion.
    (2) 5 U.S.C. 552a(d)(1), (e)(4)(H) and (f)(2), (3) and (5) grant 
individuals access to records pertaining to them. An exemption from 
these provisions is appropriate because providing access to such 
records could inform the subject of an investigation of an actual or 
potential criminal, civil, or regulatory violation to the existence of 
that investigation and reveal investigative interest on the part of the 
IRS or another bureau or agency. Access to the records could permit the 
subject of a record to impede the investigation, to tamper with 
witnesses or evidence, and to avoid detection or apprehension. In 
addition, permitting access to such information could disclose 
security-sensitive information that could be detrimental to the IRS. 
Agency rules are exempt from the individual access provisions of 
subsection 5 U.S.C. 552a for this system of records, therefore, the IRS 
and Treasury are not required to establish requirements, rules or 
procedures with respect to such access.
    (3) 5 U.S.C. 552a(d)(2), (3) and (4), (e)(4)(H), and (f)(4) permit 
an individual to request amendment of a record pertaining to them and 
require the agency to provide notice on how to request an amendment, 
and provide procedures for reviewing, making determinations and the 
appeal process concerning amendments. Because these provisions depend 
on the individual having access to their records, and since this rule 
exempts the IRS system of records from the provisions of 5 U.S.C. 552a 
relating to access to records for the reasons set forth above, these 
provisions do not apply. Furthermore, an exemption from this 
requirement is appropriate because allowing individuals to amend 
certain records that pertain to them would interfere with the mechanism 
of ongoing investigations and law enforcement activities and would 
impose an unreasonable administrative burden by requiring 
investigations to be continually reinvestigated. In addition, 
permitting amendment to such information could disclose security-
sensitive information that could be detrimental to the IRS.
    (4) 5 U.S.C. 552a(e)(1) requires an agency to maintain in its 
records only such information about an individual as is relevant and 
necessary to accomplish a purpose of the agency required by statute or 
Executive order. Maintenance of information, as defined in 5 U.S.C. 
552a(a)(3), includes the collection and dissemination of information. 
An exemption from this provision is therefore appropriate because its 
application would require the IRS to make determinations at the time of 
collection about the relevance and necessity of collected information. 
Speculative determinations about the relevance and necessity of 
collected information may be impossible to determine immediately, as 
information that initially appears irrelevant and unnecessary, often 
may prove particularly valuable, therefore application of this 
provision to the system of records could impair the Department's 
ability to collect, utilize and disseminate valuable law enforcement 
information.
    (5) 5 U.S.C. 552a(e)(4)(G) and (f)(1) enable individuals to inquire 
whether a system of records contains records pertaining to them. An 
exemption from these provisions is appropriate because alerting 
individuals involved in illegal activity that the IRS has, or does not 
have, information that could lead to them being identified for 
investigation allows them to take steps to avoid detection, begin, 
continue, or resume illegal conduct upon learning that they are not 
identified in the system of records; or destroy evidence needed to 
prove the violation, all of which could undermine the IRS's ability to 
carry out its mission.
    (6) 5 U.S.C. 552a(e)(4)(I) requires an agency to publish a general 
notice listing the categories of sources for information contained in a 
system of records. The application of this provision to the system of 
records could disclose investigative techniques and cause informants to 
refuse to give full information for fear their identities as sources 
could be disclosed, subjecting them to threats or reprisals. This could 
compromise the IRS's ability to complete or continue investigations or 
to share useful information to law enforcement agencies.
    Treasury is also exempting ``34.018 Treasury/IRS Insider Risk 
Management Records'' from certain provisions of the Privacy Act of 
1974, pursuant to 5 U.S.C. 552a(k)(5). The exemptions are from 
provisions 552a(c)(3), (d)(1)-(4), (e)(1), (e)(4)(G), (e)(4)(H), 
(e)(4)(I), and (f) because the system contains investigatory material 
compiled solely for the purpose of determining suitability, 
eligibility, or qualifications for Federal civilian employment, Federal 
contracts, or access to classified information. The following are the 
reasons this system of records maintained by the IRS may be exempted 
pursuant to 5 U.S.C. 552a(k)(5):
    (1) The sections of 5 U.S.C. 552a from which the systems of records 
are exempt generally provide for individuals' access to or amendment of 
records. Such access may reveal the identity of a confidential source 
under an express promise that the source's identity would be held in 
confidence. This could hinder the IRS's ability to obtain future

[[Page 20396]]

confidential sources. In addition, 5 U.S.C. 552a(e)(1) is unduly 
restrictive in requiring the IRS to maintain only such information 
about an individual as is relevant and necessary to accomplish a 
purpose of the agency as required by a statute or executive order, 
since it is often not until well after the investigation that it is 
possible to determine the relevance and necessity of particular 
information.
    (2) IRS claims the exemptions 5 U.S.C. 552a(j)(2) and (k)(2) if any 
investigatory material contained in the above-named system becomes 
involved in criminal or civil matters,

Regulatory Analysis

    As required by Executive Order 12866, as amended, it has been 
determined that this final rule is not a significant regulatory action, 
and therefore, does not require a regulatory impact analysis.
    The regulation will not have a substantial direct effect on the 
States, on the relationship between the Federal Government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government. Therefore, it is determined that this 
final rule does not have federalism implications under Executive Order 
13132.
    Pursuant to the requirements of the Regulatory Flexibility Act, 5 
U.S.C. 601-612, it is hereby certified that these regulations will not 
have a significant economic impact on a substantial number of small 
entities. The final rule imposes no duties or obligations on small 
entities.
    In accordance with the provisions of the Paperwork Reduction Act of 
1995, the Department of the Treasury has determined that this final 
rule would not impose new recordkeeping, application, reporting, or 
other types of information collection requirements.

List of Subjects in 31 CFR Part 1

    Privacy.

    The Department of the Treasury amends part 1 of title 31 of the 
Code of Federal Regulations as follows:

PART 1--DISCLOSURE OF RECORDS

0
1. The authority citation for part 1 continues to read as follows:

    Authority:  5 U.S.C. 301, 552, 552a, 553; 31 U.S.C. 301, 321; 31 
U.S.C. 3717.


0
2. Amend Sec.  1.36 by:
0
a. In paragraph (g)(1)(vii), adding an entry to Table 16 to Paragraph 
(g)(1)(vii) in alpha-numeric order; and
0
b. In paragraph (k)(1)(iii), adding an entry to Table 23 to Paragraph 
(k)(1)(iii) in alpha-numeric order.
    The additions read as follows:


Sec.  1.36  Systems exempt in whole or in part from provisions of the 
Privacy Act and this part.

* * * * *
    (g) * * *
    (1) * * *
    (vii) Internal Revenue Service.

                    Table 16 to Paragraph (g)(1)(vii)
------------------------------------------------------------------------
                    No.                            Name of system
------------------------------------------------------------------------
 
                              * * * * * * *
IRS 34.018................................  Treasury/IRS Insider Risk
                                             Management Records.
 
                              * * * * * * *
------------------------------------------------------------------------

* * * * *
    (k) * * *
    (1) * * *
    (iii) Internal Revenue Service.

                    Table 23 to Paragraph (k)(1)(iii)
------------------------------------------------------------------------
                    No.                            Name of system
------------------------------------------------------------------------
IRS 34.018................................  Treasury/IRS Insider Risk
                                             Management Records.
 
                              * * * * * * *
------------------------------------------------------------------------

* * * * *

Ryan Law,
Deputy Assistant Secretary Privacy, Transparency, and Records.
[FR Doc. 2025-08504 Filed 5-13-25; 8:45 am]
BILLING CODE 4810-AK-P


</pre></body>
</html>