5101:12-1 Ohio Support Enforcement Program
5101:12-1-22 Safeguarding of Information from the Internal Revenue Service
Effective Date: April 1, 2018

(A)       This rule describes the procedures a child support enforcement agency (CSEA) is required to follow in order to safeguard information received from the internal revenue service (IRS). The procedures for safeguarding federal tax information (FTI) are based upon the tax information security guidelines described in IRS Publication 1075 (rev. 9/2016). IRS Publication 1075 is available at www.irs.gov. The safeguarding requirements of this rule apply to any paper, electronic, or imaged record.

(B)       Failure to comply with the safeguarding requirements of this rule shall result in the revocation of access to the support enforcement tracking system (SETS) or any other computer application that contains information from the IRS.

(C)       For purposes of this rule and its supplemental rules, FTI is defined as federal tax return information other than information provided by the taxpayer, including but not limited to:

(1)       Address information obtained from the IRS;

(2)       Social security numbers obtained from the IRS;

(3)       Federal tax filing status; or

(4)       Identification of the payment source as an IRS tax refund offset collection.

(D)       Each CSEA shall complete and submit to the office of child support (OCS) within the Ohio department of job and family services (ODJFS) a JFS 07072, "Safeguarding of Internal Revenue Service, Ohio Department of Taxation, Federal Parent Locator Service, and Unemployment Compensation Information" (effective or revised effective date as identified in rule 5101:12-1-99 of the Administrative Code) no later than the last day of March each year. The JFS 07072 must be signed and dated by the director or administrator of the CSEA.

(E)       The CSEA shall notify OCS at least sixty days prior to re-disclosing FTI to a contractor so that OCS may notify the IRS office of safeguards at least forty-five days prior to the re-disclosure.

(F)       The CSEA shall notify OCS at least sixty days prior to re-disclosing FTI to a sub-contractor so that OCS may notify the IRS office of safeguards and obtain written approval at least forty-five days prior to the re-disclosure.

(G)       The CSEA shall prior to re-disclosing FTI to a contractor or sub-contractor:

(1)       Establish privacy roles and responsibilities for contractors and service providers;

(2)       Include privacy requirements in contracts and other acquisition-related documents;

(3)       Share FTI externally only for authorized purposes and in a manner compatible with those purposes;

(4)       Enter into a contract, service level agreement, memorandum of understanding, memorandum of agreement, letter of intent, computer matching agreement, or similar agreement, with third parties that specifically describes the FTI covered and specifically enumerates the purposes for which the FTI may be used;

(5)       Monitor, audit, and train CSEA staff on the authorized uses and sharing of FTI with third parties and on the consequences of unauthorized use or sharing of FTI; and

(6)       Evaluate any proposed new instances of sharing FTI with third parties to assess whether they are authorized and whether additional or new public notice is required.

(H)       For each individual with access to FTI that is an employee of: the CSEA; a contractor of the CSEA; or a sub-contractor to provide goods or services on behalf of a contractor of the CSEA, the CSEA shall ensure that:

(1)       FTI safeguarding training is completed upon employment or re-employment and on an annual basis thereafter. The FTI safeguarding training shall include, but is not limited to:

(a)       Disclosure awareness training;

(b)       Security awareness training;

(c)        Role-based training;

(d)       Contingency training; and

(e)       Incident response training.

(2)       Each individual certifies his or her understanding of policies and procedures for safeguarding FTI by completing the FTI safeguarding training and a JFS 07014, "Tax Information Safeguarding Authorization Agreement" (effective or revised effective date as identified in rule 5101:12-1-99 of the Administrative Code).

(a)       FTI safeguarding training and a JFS 07014 must be completed upon employment or re-employment and on an annual basis thereafter.

(i)         An individual who has been granted access to SETS in accordance with paragraph (F) of rule 5101:12-1-15 of the Administrative Code has met this requirement.

(ii)        Any other individual who has access to FTI must complete the FTI safeguarding training and a JFS 07014.

(b)       The initial certification and recertification:

(i)         If completed in accordance with paragraph (H)(2)(a)(i) of rule 5101:12-1-22 of the Administrative Code, will be maintained by OCS and made available to the IRS upon request.

(ii)        If completed in accordance with paragraph (H)(2)(a)(ii) of rule 5101:12-1-22 of the Administrative Code, shall be maintained by the CSEA and made available to OCS and/or the IRS upon request.

(a)       These records must be retained for a minimum of five years in accordance with requirements under IRS Publication 1075; or

(b)       In accordance with the county records commission in the county in which the CSEA serves when the county records commission requires a retention period more than five years.

(3)       A permanent FTI tracking system is utilized. FTI may be tracked using any of the following methods:

(a)       The FTI tracking database provided by OCS;

(b)       The JFS 07019, "Federal Tax Information Item Tracking Log" (effective or revised effective date as identified in rule 5101:12-1-99 of the Administrative Code); or

(c)        An alternative FTI tracking database, provided that:

(i)         The database contains all of the same data elements as the JFS 07019; and

(ii)        The CSEA submits the database to OCS for approval and OCS approves the database.

(4)       A permanent system of standardized records is established and maintained with regard to requests made for information from the IRS that includes:

(a)       The reason for the request;

(b)       The date the request is made;

(c)        The date FTI is received; and

(d)       The name of the employee(s) having access to the information.

(5)       FTI is stored during non-duty hours in accordance with the secure storage and minimum protection standards described in IRS Publication 1075;

(6)       Access to file keys and safe combinations is limited to employees responsible for safeguarding FTI and a maximum of two alternates who are permitted access to the FTI;

(7)       FTI is limited to those individuals who are authorized to inspect and use the information. Limiting access to FTI must meet the IRS Publication 1075 standards by:

(a)       Designating restricted areas;

(b)       Creating an authorized access list; and

(c)        Developing physical access authorizations.

(8)       Commingling standards described in IRS Publication 1075 are followed. FTI may be maintained either separately from a file or within a file. When FTI is maintained within a file, the outside jacket of the file shall have a label stating that the file contains FTI;

(9)       Mail received containing FTI is properly labeled as described in paragraph (H)(11)(a) of this rule and is not opened before delivery to the CSEA employee, contractor, or sub-contractor responsible for safeguarding the information;

(10)     Computer stations are safeguarded in accordance with standards described in IRS Publication 1075. Computer stations may be safeguarded by:

(a)       Restricting access to only authorized staff;

(b)       Utilizing password protections;

(c)        Utilizing screen savers; and

(d)       Logging out of the system.

(11)     Correspondence containing FTI is properly transmitted according to the following standards:

(a)       When sending the correspondence by ordinary mail, the agency shall send the correspondence in a double-sealed envelope with a label on the inner envelope that alerts the recipient that the mail contains FTI;

(b)       When sending the correspondence by electronic mail, the agency shall send the correspondence as an attachment to the electronic message that is encrypted and password protected. The text of the electronic message shall alert the recipient that the attachment contains FTI; and

(c)        When sending the correspondence by facsimile (i.e., fax), the agency shall:

(i)         Include a cover sheet that alerts the fax recipient that the correspondence contains FTI and indicates the name of the intended fax recipient;

(ii)        Verify that the intended fax recipient is a an authorized person; and

(iii)       Verify that the intended fax recipient will be present at the fax machine to receive the correspondence at the time the CSEA sends it.

(12)     FTI is only destroyed in accordance with the destruction methods described in IRS Publication 1075 when FTI is no longer needed by the agency and that the destruction is tracked as described in paragraph (H)(3) of this rule.

Replaces: 5101:12-1-20.2

Effective: 4/1/2018

Five Year Review (FYR) Dates: 04/01/2023

Certification: CERTIFIED ELECTRONICALLY

Date: 03/12/2018

Promulgated Under: 119.03

Statutory Authority: 3125.08, 3125.25, 3125.51

Rule Amplifies: 3125.03, 3125.08, 3125.43, 3125.50

Prior Effective Dates: 08/01/1982, 12/16/1989, 10/01/1990, 04/01/1991, 01/01/1992, 02/11/1993, 09/01/1994, 06/02/2001, 07/01/2002, 01/01/2006, 06/15/2006, 03/01/2012