Potential Privacy Concern: Unforeseen Government Data Mishap May Jeopardize Your Private Information's Security
The Internal Revenue Service (IRS) recently experienced a data sharing incident that affected the Free Application for Federal Student Aid (FAFSA) application system. According to the Treasury Inspector General for Tax Administration, the issue occurred due to a problem with the coding of the IRS system.
Section 6103 of the Internal Revenue Tax Code ensures that personal taxpayer data is private information, unless it is being investigated for a law enforcement purpose. However, the IRS has an agreement that allows for the sharing of taxpayer data with the Department of Education, but only with taxpayer consent. In this case, the IRS sent incorrect taxpayer data to the Department of Education, affecting the FAFSA application system.
The IRS has been working on their enterprise data platform for several years to deconflict fields and data across hundreds of systems. The aim is to improve data sharing and reduce errors. However, production or work stopping on modernization programs could delay these efforts.
The IRS uses a testing package of general fake tax information for all development and testing, which could potentially lead to unidentified errors in new systems. In this instance, using masked live taxpayer data during testing could have helped identify errors before sharing information with other agencies.
The FAFSA system ensured taxpayer consent before releasing personal information to the Department of Education. The FUTURE Act, passed in December 2019, established a new information sharing agreement between the IRS and the Department of Education. The agreement was not necessarily part of the rollout of the new FAFSA, but it was designed to make filing the FAFSA easier and simpler.
The IRS has lost over a quarter of its information technology experts, which is a concern for the modernization of the IRS. The IRS fixed the problem within eight days, reprocessing over seven million applications.
The IRS is concerned about the potential risks of data consolidation across federal agencies, as highlighted by this data sharing issue with the FAFSA system. The March 2025 executive order aims to remove barriers and promote interagency data sharing agreements, but this could potentially lead to more errors in data shared between federal agencies. Decisions could be made based on incorrect data if there are errors in data shared across federal agencies.
Control over the confidential tax data of the IRS lies within the IRS itself. All agencies or contractors handling Federal Tax Information (FTI) must comply with strict security and privacy controls defined by IRS Publication 1075 and 4812 to ensure confidentiality and data protection. These controls are overseen internally and audited accordingly.
The IRS has an agreement with the Department of Education to share taxpayer data, but only with taxpayer consent. This incident serves as a reminder of the potential risks associated with inter-agency data sharing and the importance of rigorous testing and security measures. The investigation into the incident provided a detailed timeline and information about the data shared. The incorrect data was sent in April 2024, during the first year the system went live.
In conclusion, while inter-agency data sharing can have benefits, it also presents potential risks. The IRS will need to carefully consider these risks and take appropriate measures to protect taxpayer data in future data sharing agreements.
