Maintaining a strict privacy policy and confidentiality protocol is crucial for any tax preparer, whether self-employed or hired by a business. This applies to all tax preparers, including certified public accountants, enrolled agents, and even attorneys.
Data confidentiality requirements apply to information collected on paper and electronically, as well as web forms and email. This means tax preparers must have a system in place to ensure their privacy policy and data confidentiality guidelines are followed at all times.
Tax preparers have a duty to create and follow strict electronic and procedural safeguards to ensure taxpayer personal information is secure and not available to unauthorized parties. This requirement is detailed in the Internal Revenue Code.
What the IRC says about disclosing taxpayer data
Section 7216 of the Internal Revenue Code prohibits the IRS and tax professionals from knowingly or recklessly disclosing tax return information to anyone else without the taxpayer’s explicit consent. Violation of this rule is a federal crime that may draw a fine of up to $1,000 and imprisonment for as long as a year for each violation.
Section 6713 of the IRC imposes a $250 civil penalty on anyone engaged in preparing taxes who discloses information furnished for the purposes of preparation, or uses the information for anything outside of tax preparation. Section 6713 doesn’t require the disclosure to be knowing or reckless and applies to casual preparers who are compensated and intermediate service providers.
Consent can be provided either with Form 8821 or Form 2848. However, there are several exceptions to the non-disclosure rule.
Exceptions to IRS Code Section 7216
Under Treasury Regulations section 301.7216-2, sharing a taxpayer’s tax information without consent is permitted by law only under the following circumstances:
- Law enforcement has a court order. If a law enforcement agency or official has obtained a valid court order for a taxpayer’s information, that information must be furnished.
- During tax administration investigations. Sometimes a taxpayer’s information may be shared with third parties during audits and probes. However, the Internal Revenue Code Section 6103(k)(6) allows limited disclosure of information necessary to the investigation only when there’s no other reasonable way to obtain that material.
- The Social Security Administration needs to establish liability for FICA taxes. If the SSA needs to establish a taxpayer’s liability for FICA taxes, federal SSA administrators may request the appropriate information to make this determination. This exception doesn’t apply to state Social Security administrators, however.
- The state makes a request in writing. If state tax authorities request client information in writing, a taxpayer’s information can be disclosed.
A tight security protocol eliminates the potential for penalties
The penalties for violating a taxpayer’s right to confidentiality are steep. Taxpayers can file a civil lawsuit for damages when their tax information has been illegally furnished to another party.
In 2015, the Federal Trade Commission filed a complaint against tax software company TaxSlayer, LLC which alleged that malicious hackers gained access to 9,000 accounts. The complaint charged that hackers used the data to file fraudulent tax returns and obtain tax refunds.
The complaint filed by the FTC accused TaxSlayer of violating the Gramm-Leach-Bliley Act’s Safeguard Rule and the Privacy rule. As a result, the company was ordered to obtain biennial third-party assessments for ten years to ensure ongoing compliance.
Strategies for maintaining your privacy policy and confidentiality guidelines
1. Provide a written copy of your privacy policy to clients
Savvy clients will ask for a copy of your privacy policy before they’ll do business with you. Some people may not realize that’s an option, though.
Even when prospective clients don’t ask for it, you should provide them with a copy of your privacy policy the first time you meet. It’s actually required by law.
If you don’t have a written privacy policy, better get it done. Your privacy policy should outline exactly how a taxpayer’s information will be shared with employees, company officials, contractors, and any other third parties.
Your privacy policy should also include the exceptions outlined above, so the taxpayer knows your legal obligations to provide their information to third parties. Be as detailed and specific as possible, and cite the IRC so your clients know the laws concerning their data.
2. Create procedures that support adherence to your privacy policy
Possessing a strong privacy policy is vital, but following the policy is critical. It’s not difficult to devise a privacy policy that sounds good, but you need procedures in place to fulfill those commitments.
For example, if you outsource your tax prep, explain the details in your privacy policy so your clients can give their explicit consent to share their data.
3. Double down on electronic data security
State and federal laws require tax preparers to maintain control over the security of electronic data from clients. Each state has its own set of data privacy laws, some of which are inspired by GDPR regulations.
Most state laws require businesses to disclose exactly what personal information is collected, and the purposes for which it is used. Businesses are required to provide consumers with a copy of their data—or delete the data—upon request. All valid deletion requests must be honored.
You can never be too careful about how you handle data privacy. Regardless of what the laws currently allow, it’s best to maintain top security practices such as end-to-end encryption and user authentication.
How to maintain strict control over electronic client data
Restrict access to all desktop and cloud-based applications by requiring employees to log in to an account, and do not allow shared credentials. The following access mistakes can be disastrous:
- Leaving computers and software unprotected. Say you have tax prep software installed on all the machines in your office. If any one of those machines can be accessed without a password—and if your tax prep software isn’t password-protected—you’re asking for trouble.
- If you have employees who don’t handle client data as part of their job, they probably aren’t authorized to view that data. Unprotected computers and passwords give them access to it, however. No matter how much you trust your employees, keep your local machines password-protected at all times.
- Even when all your employees handle client data, it’s a good idea to password-protect all the computers. Clients might bring their kids or a friend into the office when they’re working late. If there’s an unprotected machine, you can’t be certain who could gain access to client data.
- Not encrypting data end-to-end and over email. You may not think twice about sending client data through unencrypted emails. However, emails are routed through several different servers and that data can be captured at any point along the way. Any time client data gets transferred, it must be encrypted in transit.
Bypass the stress of privacy concerns with Taxfyle
Are you confused or frustrated trying to stay compliant with ever-changing data protection laws? Onshoring your tax return preparation with Taxfyle is the best way to maintain client privacy as required by law.
We use top-of-the-line, secure software and servers to keep client data safe. Our licensed tax professionals employ a variety of accounting softwares so we can match you with professionals who have the same software as your team.
We take data security seriously, so we encrypt all client data at rest and in transit. Our database maintains strict SOC 2 compliant controls with data security, information policy, and compliance requirements. Your clients’ personal financial data is safe with Taxfye.
We’ll prepare as many returns as you need, so you can focus on client relationships and augmenting your primary operations. Request a live demo today and see how we can transform your firm.