(A)This rule
describes the procedures a child support enforcement agency (CSEA) is required
to follow in order to safeguard information received from the internal revenue
service (IRS). The procedures for safeguarding federal tax information (FTI)
are based upon the tax information security guidelines described in IRS
publication 1075 (rev. 9/201611/2021). IRS Publication 1075 is available at
www.irs.gov. The safeguarding requirements of this rule apply to any paper,
electronic, or imaged record.
(B)Failure to
comply with the safeguarding requirements of this rule shall result in the
revocation of access to the support enforcement tracking system (SETS) or any
other computer application that contains information from the IRS.
(C)For purposes of
this rule and its supplemental rules, FTI is defined as federal tax return
information other than information provided by the taxpayer, including but not
limited to:
(1)Address
information obtained from the IRS;
(2)Social security
numbers obtained from the IRS;
(3)Federal tax
filing status; or
(4)Identification
of the payment source as an IRS tax refund offset collection.
(D)Each CSEA shall
complete and submit to the office of child support (OCS) within the Ohio department
of job and family services (ODJFS) a JFS 07072, "Safeguarding of Internal
Revenue Service, Ohio Department of Taxation, Federal Parent Locator Service,
and Unemployment Compensation Information" (effective or revised effective
date as identified in rule 5101:12-1-99 of the Administrative Code) no later
than the last day of MarchApril
each year. The JFS 07072 must be signed and dated by the director or
administrator of the CSEA.
(E)In accordance with rule 5101:9-9-26 of
the Administrative Code, each CSEA will develop a written procedure requiring
all: final candidates, as defined in rule 5101:9-9-26 of the Administrative
Code, current employees, prospective contractors or sub-contractors and,
current contractors and sub-contractors who are or will be granted access to
FTI to submit to a background investigation that is favorably adjudicated and
is in accordance with the IRS publication 1075. The written procedure is to be
made available to OCS and/or the IRS upon request.
(E)(F)The CSEA shall notify OCS at least sixty days
prior to re-disclosing FTI to a contractor so that OCS may notify the IRS
office of safeguards at least forty-five days prior to the re-disclosure.
(F)(G)The CSEA shall notify OCS at least sixty days
prior to re-disclosing FTI to a sub-contractor so that OCS may notify the IRS
office of safeguards and obtain written approval at least forty-five days prior
to the re-disclosure.
(G)(H)The CSEA shall prior to re-disclosing FTI to a
contractor or sub-contractor:
(1)Establish
privacy roles and responsibilities for contractors and service providers;
(2)Include privacy
requirements in contracts and other acquisition-related documents;
(3)Share FTI
externally only for authorized purposes and in a manner compatible with those
purposes;
(4)Enter into a
contract, service level agreement, memorandum of understanding, memorandum of
agreement, letter of intent, computer matching agreement, or similar agreement,
with third parties that specifically describes the FTI covered and specifically
enumerates the purposes for which the FTI may be used;
(5)Monitor, audit,
and train CSEA staff on the authorized uses and sharing of FTI with third
parties and on the consequences of unauthorized use or sharing of FTI; and
(6)Evaluate any
proposed new instances of sharing FTI with third parties to assess whether they
are authorized and whether additional or new public notice is required.
(H)(I)For each individual with access to FTI that
is an employee of: the CSEA; a contractor of the CSEA; or a sub-contractor to
provide goods or services on behalf of a contractor of the CSEA, the CSEA shall
ensure that:
(1)A background investigation is completed
in accordance with rule 5101:9-9-26 of the Administrative Code;
(1)(2)FTI safeguarding training is completed upon
employment or re-employment and on an annual basis thereafter. The FTI
safeguarding training shall include, but is not limited to:
(a)Disclosure
awareness training;
(b)Security
awareness training;
(c)Role-based
training;
(d)Contingency
training; and
(e)Incident
response training.
(2)(3)Each individual certifies his or her
understanding of policies and procedures for safeguarding FTI by completing the
FTI safeguarding training and a JFS 07014, "Tax Information Safeguarding
Authorization Agreement" (effective or revised effective date as
identified in rule 5101:12-1-99 of the Administrative Code).
(a)FTI
safeguarding training and a JFS 07014 must be completed upon employment or
re-employment and on an annual basis thereafter.
(i)An individual
who has been granted access to SETS in accordance with paragraph (F) of rule
5101:12-1-15 of the Administrative Code has met this requirement.
(ii)Any other
individual who has access to FTI must complete the FTI safeguarding training
and a JFS 07014.
(b)The initial
certification and recertification: will be maintained by OCS and made available to the IRS upon
request. These records are to be retained for a minimum of five years in
accordance with requirements under IRS publication 1075.
(i)If completed in accordance with
paragraph (H)(2)(a)(i) of rule 5101:12-1-22 of the Administrative Code, will be
maintained by OCS and made available to the IRS upon request.
(ii)If completed in accordance with
paragraph (H)(2)(a)(ii) of rule 5101:12-1-22 of the Administrative Code, shall
be maintained by the CSEA and made available to OCS and/or the IRS upon
request.
(a)These records must
be retained for a minimum of five years in accordance with requirements under
IRS publication 1075; or
(b)In accordance with
the county records commission in the county in which the CSEA serves when the
county records commission requires a retention period more than five years.
(3)(4)A permanent FTI tracking system is utilized.
FTI may be tracked using any of the following methods:
(a)The FTI
tracking database provided by OCS;
(b)The JFS 07019,
"Federal Tax Information Item Tracking Log" (effective or revised
effective date as identified in rule 5101:12-1-99 of the Administrative Code);
or
(c)An alternative
FTI tracking database, provided that:
(i)The database
contains all of the same data elements as the JFS 07019; and
(ii)The CSEA
submits the database to OCS for approval and OCS approves the database.
(4)(5)A permanent system of standardized records is
established and maintained with regard to requests made for information from
the IRS that includes:
(a)The reason for
the request;
(b)The date the
request is made;
(c)The date FTI
is received; and
(d)The name of the
employee(s) having access to the information.
(5)(6)FTI is stored during non-duty hours in
accordance with the secure storage and minimum protection standards described
in IRS publication 1075;
(6)(7)Access to file keys and safe combinations is
limited to employees responsible for safeguarding FTI and a maximum of two
alternates who are permitted access to the FTI;
(7)(8)FTI is limited to those individuals who are
authorized to inspect and use the information. Limiting access to FTI must meet
the IRS publication 1075 standards by:
(a)Designating
restricted areas;
(b)Creating an
authorized access list; and
(c)Developing
physical access authorizations.
(8)(9)Commingling standards described in IRS
publication 1075 are followed. FTI may be maintained either separately from a
file or within a file. When FTI is maintained within a file, the outside jacket
of the file shall have a label stating that the file contains FTI;
(9)(10)Mail received containing FTI is
properly labeled as described in paragraph (HI)(11)(a) of this rule and is not opened before
delivery to the CSEA employee, contractor, or sub-contractor responsible for
safeguarding the information;
(10)(11)Computer stations are safeguarded in
accordance with standards described in IRS publication 1075. Computer stations
may be safeguarded by:
(a)Restricting access
to only authorized staff;
(b)Utilizing
password protections;
(c)Utilizing
screen savers; and
(d)Logging out of
the system.
(11)(12)Correspondence containing FTI is
properly transmitted according to the following standards:
(a)When sending
the correspondence by ordinary mail, the agency shall send the correspondence
in a double-sealed envelope with a label on the inner envelope that alerts the
recipient that the mail contains FTI;
(b)When sending
the correspondence by electronic mail, the agency shall will only send the correspondence
as an attachment to the electronic message that
is encrypted and password protected. The text of the electronic message shall
alert the to a recipient that the attachment contains FTI;within the ODJFS email system, and:
(i)Alert the recipient in the text of the
electronic message that the attachment contains FTI; and
(ii)Send the correspondence as an
attachment to the electronic message that is encrypted and is password
protected; and
(iii)Send the password to access the
attachment in a separate electronic message.
(c)When sending
the correspondence by facsimile (i.e., fax), the agency shall:
(i)Include a
cover sheet that alerts the fax recipient that the correspondence contains FTI
and indicates the name of the intended fax recipient;
(ii)Verify that
the intended fax recipient is a an authorized
person; and
(iii)Verify that
the intended fax recipient will be present at the fax machine to receive the
correspondence at the time the CSEA sends it.
(12)(13)FTI is only destroyed in accordance
with the destruction methods described in IRS publication 1075 when FTI is no
longer needed by the agency and that the destruction is tracked as described in
paragraph (HI)(34) of this rule.
Effective: 11/1/2022
Five Year Review (FYR) Dates: 8/1/2022 and 11/01/2027
Certification: CERTIFIED ELECTRONICALLY
Date: 10/20/2022
Promulgated Under: 119.03
Statutory Authority: 3125.08, 3125.25,3125.51
Rule Amplifies: 3125.03, 3125.08, 3125.43, 3125.50
Prior Effective Dates: 08/01/1982, 12/16/1989, 10/01/1990,
04/01/1991, 01/01/1992, 02/11/1993, 09/01/1994, 06/02/2001, 07/01/2002,
01/01/2006, 06/15/2006, 04/01/2012, 04/01/2018