Lambert here: Excellent outline of IRS data-sharing protocols, and the weakness of anonymization.
Department of Government Efficiency (DOGE) affiliates are reportedly accelerating their attempts to seek unprecedented disclosure of confidential tax information by asking IRS officials to approve extraordinarily broad sharing of taxpayers’ data across federal agencies. But a less understood part of the story is that DOGE may already have accessed substantial and sensitive taxpayer data that is held at agencies other than the IRS–even without a new data sharing agreement–including taxpayer identification numbers, amounts of income, and bank account information. We do not know whether DOGE officials are abiding by taxpayer privacy laws that still apply to those other agencies and related protocols intended to guard against misuse.
The laws governing IRS data sharing with other agencies make clear that the IRS is responsible for ensuring that the law is followed — including after the data leaves the agency. If the IRS is unable to confirm that the law’s data protections will be followed at the other agency, the data cannot lawfully be shared with that agency.
DOGE affiliates have in recent weeks sought access to systems at many government agencies–including the Social Security Administration, Department of Education, Department of Health and Human Services, and Bureau of the Fiscal Service–that contain confidential tax return information. The same stringent laws that protect tax data at the IRS from unlawful use, inspection, or disclosure — section 6103 of the Internal Revenue Code and related statutes — also apply to tax data held at other agencies. Anyone who inspects or discloses tax data without complying with the law risks criminal liability including up to five years incarceration and fines up to $5,000. Any affected taxpayer could also bring civil litigation seeking money damages beginning at $1,000 per violation.
The unprecedented disclosure of confidential taxpayer information that DOGE affiliates are now seeking goes well beyond existing data sharing that occurs pursuant to section 6103.
Tax data is lawfully shared by the IRS with other federal agencies under limited circumstances detailed in section 6103….
All agencies receiving confidential taxpayer data from the IRS must also adhere to the strict data security guidelines detailed in Publication 1075….
There has been no reporting indicating that DOGE or other political appointees are assiduously following the laws and protocols governing SSA use of taxpayer data, nor has reporting addressed whether the IRS is fulfilling its oversight responsibilities….
There are serious questions about whether DOGE or other political appointees are assiduously following the laws and protocols governing BFS’s use of taxpayer data.
There has been no reporting indicating that DOGE or other political appointees are assiduously following the laws and protocols governing the Department of Education’s use of taxpayer data, nor has reporting addressed whether the IRS is fulfilling its oversight responsibilities….
There has been no reporting indicating that DOGE or other political appointees are assiduously following the laws and protocols governing HHS’s use of taxpayer data, nor has reporting addressed whether the IRS is fulfilling its oversight responsibilities….
Key questions remain about whether DOGE affiliates have inspected or disclosed return information held in systems at agencies other than the IRS. If they have, it is unknown whether they have been specifically authorized to do so for an authorized purpose, and whether they have been complying with protocols in the statute, IRS policies, and data-sharing agreements that apply to employees and contractors who properly access the information. If DOGE affiliates have improperly inspected or disclosed return information–including redisclosure beyond an agency that lawfully received the information in the first instance–then they could be subject to criminal penalties including imprisonment (up to five years) and fines (up to $5,000). They could also be exposed to civil liability, with money damages beginning at $1,000 per unauthorized inspection or disclosure.
It is also important to understand whether tax data has been or will be accessed by DOGE affiliates at other agencies because it could inform the risks of misuse of tax data at the IRS. Some reporting suggests that IRS data viewable by DOGE affiliates will be “anonymized,” but it is very difficult to truly anonymize tax data so that it is not traceable to particular taxpayers. Even if IRS data were successfully anonymized, it could potentially be de-anonymized if DOGE cross-references across data sets it has access to from other agencies beyond the IRS. For example, SSA receives taxpayers’ W-2 information, so “anonymized” W-2s at the IRS could be matched to non-anonymized W-2s at SSA. Likewise, de-anonymized details about income amount and source, dependents, filing status, and educational institutions in datasets at the Department of Education could be matched to anonymized IRS data to identify individuals.
Add new comment