1

Components Additional Resources

• Policy

• Procedures

• Definitions

• Authority/References

• Revenue’s Reference List of Confidential Information

• Child Support Confidentiality – Disclosure of Information Procedure

• Child Support Confidentiality – Access and Use of Information Procedure

• General Schedule for State and Local Government Agencies (GS1-SL)

• IRS Publication 1075

• Public Records Policy

• Protection and Use of Information Technology Resources Policy

• Protection and Use of Information Technology Resources Procedures

Policy Confidential Information Policy

Procedures A. Data Classification Data classification is the classification of data based on its level of sensitivity and the impact to the Department should that data be disclosed, altered or destroyed without proper authorization. Each year, information owners, designated by program directors and executive office directors, have the responsibility to classify data within their area of responsibility. The classification of data helps determine what baseline security controls are appropriate for safeguarding data. All Department data should be classified as either confidential or non-confidential. Records containing confidential information must be secured as outlined in Section C, Data Security. Confidential Confidential information is prohibited from disclosure under state and federal laws, rules and regulations. Confidential information shall be accessible only to those persons who, based upon the performance of job duties, have a need to access the information, as authorized by the information owner. There are two types of confidential information within the Department:

• Confidential state information includes:

Effective Date: DATE

PROCEDURES: Confidential Information Florida Department of Revenue

2

o Most state tax returns or return information. o Child support case and business partner information. o Certain personal and administrative information that the Department possesses.

Confidential state information can be hard copy (paper), electronic, or may exist in any other format.

• Confidential federal information includes: o Federal Tax Information (FTI) received from the Internal Revenue Service (IRS) and the Federal

Office of Child Support Enforcement (OCSE). o Information from the Federal Office of Child Support Enforcement, Federal Parent Locator and

other state's child support programs. Examples are: Multi-State Financial Intercepts, Federal Case Registry.

Confidential federal information can be hard copy (paper), electronic, or may exist in any other format. Non-Confidential Non-confidential information is not prohibited from disclosure by statute, is open for public record inspection, and may be published or released in response to a public records request, as outlined in Chapter 119, Florida Statutes (F.S.). Securing Records Once records are classified, information owners must determine the required level of security to provide and the security controls needed to protect the information based in the Department’s policy and procedures. When determining the level of security to provide, consider the following:

• Sensitivity of information

• Value of information

• Replaceability of information When determining the type of security controls to provide, consider the following:

• Physical controls (e.g., alarm systems, entry control systems, doors, locks, safes, file cabinets and fire extinguishers).

• Procedural controls (e.g., backup and disaster recovery processes, management oversight, physical inventory and security training).

• Technical controls (e.g., user authentication (login) and logical access controls such as encryption and firewalls).

• Legal, regulatory and compliance controls (i.e., pre-determined controls required by state or federal laws, rules or regulations).

B. Data Collection State and federal laws, rules, and regulations allow the Department to collect confidential and personal information pertaining to taxpayers, child support customers and employees. This information, when in the Department’s possession, must be used for official business purposes and only as legally authorized.

3

Social Security Numbers Section 119.071(5)(a)2. a., F.S. does not allow collection of an individual’s Social Security Number (SSN) unless the Department has stated in writing (notice) the purpose for its collection. This notice shall include the following:

• Whether the SSN collection is mandatory under state or federal law, or whether it is voluntary.

• The purpose for collecting the SSN and if it is specifically authorized by law or imperative for the performance of the Department’s duties and responsibilities as prescribed by law.

• The reference to the state and federal laws governing the collection, use, and release of SSNs for each purpose for which the Department collects the SSN, including any authorized exceptions that apply to such collection, use and release.

A copy of this written notice must be provided to the individual providing the SSN. SSNs collected by the Department may not be used for any purpose other than the purpose provided in the written statement. SSNs maintained by the Department may only be disclosed as allowed by Section 119.071(5)(a)6, F.S.

C. Data Security Storage Requirements Minimum protection standards for the storage of confidential information in its physical form require two protective barriers to deter, delay, or help detect unauthorized access to the information. The second barrier must prevent access to confidential information by individuals who may have access through the first barrier, but are not authorized to access the confidential information maintained within the first barrier. Examples of two barriers meeting this requirement include the following:

• Secured perimeter and secured work area.

• Secured perimeter and secured file room or container.

• Secured work area and secured file room or container.

• Secured file room and secured container.

During business hours, employees may serve as the second barrier between confidential information and unauthorized individuals. Access Requirements Employees must restrict access to confidential information to reduce the possibility of unauthorized access or disclosure. Employees must secure and protect records containing confidential information from disclosure, regardless of format. Information owners will discontinue employee access to confidential information when no longer needed to conduct their duties and responsibilities. This is accomplished by following the procedures identified in the Office of Workforce Management separation process. Employees or contractors located “offshore” (outside of the United States or its territories) may not access federal tax information. Handling Requirements All employees with job duties that require them to handle confidential information are required to safeguard the information and only access it, use it, or disclose it as expressly authorized by law and in compliance with Department policies and procedures.

4

Employees must handle confidential information in a manner that ensures it is not lost or made accessible to unauthorized persons. Confidential information should never be left in an empty workstation, break room, copy room or restroom. Confidential information must not be removed from a Department facility unless authorized as necessary for a work-related purpose. Employees must carry only those confidential records necessary to complete the task. Employees must, always, keep all confidential information in their possession while in transit, and transport it in a manner which does not allow unauthorized access to the information (e.g., keep the information in a locked briefcase or a vehicle trunk). Employees who transport confidential paper or electronic records, must ensure the information is protected from unauthorized access or disclosure, and take precautions so the information is not misplaced. If the records to be transported are electronic, they must be encrypted to prevent unauthorized access. Clean-Desk Requirements The Department will enforce clean-desk requirements in all offices. Employees must:

• Ensure confidential documents do not leave the employee’s immediate control.

• Never leave confidential documents in plain view. Employees must take precautions to conceal the confidential information from view, such as temporarily placing in a file folder or envelope or locking the documents in a file cabinet or other storage container.

• Secure all confidential information when leaving work areas and when other authorized employees are not present.

• Secure all confidential information for which they are responsible before leaving at the end of the workday and when not in use in accordance with the requirements in these procedures.

Mailing Requirements Before sending confidential information through regular mail or courier service:

• Verify the address of the recipient.

• Include a return address for the sender on the outside of the envelope.

• Verify that the correct information is being mailed or delivered to the correct individual. o Ensure the content inside the envelope is for the person addressed on the outside of the

envelope. o Double-check all documents to be sure to include only the information for the recipient and do

not accidentally include another customer’s information.

• Adequately seal the envelope or package to prevent unauthorized access or accidental opening. Additional program-specific requirements for mailing confidential information can be found in operational program policies and procedures. When sending FTI through mail or courier service, the information must be double-sealed, one envelope within another. The information should be prepared as follows:

• The inner envelope will include the information and a completed transmittal document showing to whom the FTI is being sent.

5

• The exterior of the inner envelope will be marked confidential and labeled to indicate that only the designated official or delegate is authorized to open it.

• The outermost envelope should not be labelled as FTI or give any indication that the contents contain FTI.

Using sealed boxes meets the double-sealing requirement for mailing FTI. The box should not be labeled as containing FTI or give any indication that its contents include FTI. A completed transmittal document showing to whom the FTI is being sent must be included inside the sealed box. Facsimile Requirements for Devices Connected to Analog Lines Confidential state or federal information may be provided by fax transmission over an analog line. Employees must follow these procedures:

• Prior to sending, verify that the recipient is authorized to receive the confidential information being provided.

• Ensure that the authorized recipient is available to receive the transmission.

• Include a cover sheet that explicitly provides guidance to the recipient that the information is confidential and to notify the sender if they are not the intended recipient of the information.

• Ensure that the fax transmission is sent to the correct fax number provided by the authorized recipient.

• Do not leave the fax machine unattended during the transmission and ensure that no confidential information is left on the fax machine after transmission.

• If the fax transmission was sent to an incorrect number, attempt to find out where the fax transmission was received and retrieve the confidential information. Report the incident using Ethics Link.

Multi-Function Printer-Copier-Scanner-Fax Device (MFD) Requirements MFDs may not be used to scan, fax or email FTI. However, MFDs may be used to copy and print FTI. MFDs may be used to copy, print, scan, fax or email confidential state information. Employees faxing confidential state information from an MFD, must follow the same requirements as when using an analog device. MFDs and all other network printers are subject to the clean-desk requirement. When printing confidential documents on a MFD/network printer, employees must retrieve documents from the MFD/network printer as soon as possible. Confidential documents left on a MFD/network printer may be viewed by another employee only to determine who is responsible for the document and to provide it to the owner. Employees should not browse or inspect confidential documents that do not belong to them. Telephone Requirements Employees should use state-owned telephones to discuss confidential information and should disclose confidential information by telephone only from a secure or non-public area. Employees must not leave messages containing confidential information on answering machines or voicemail and must not send confidential information in a text message.

6

Electronic Requirements Personal Devices Confidential information may not be accessed, stored, photographed or processed on any personally-owned device. Computers Department owned computing or storage devices may be used to receive, access, store or process confidential information. Only use state-owned computing or storage devices in the Department’s inventory that have been assigned Department property numbers to receive, access, store or process FTI. Computers and electronic media that receive, process, store, or transmit FTI must be in a secure area with restricted access, to the extent possible. In situations when requirements of a secure area with restricted access cannot be maintained, such as home work sites, remote terminals or other office work sites, the equipment must receive the highest level of protection practical, including full disk encryption. All computers and mobile devices that contain FTI, and are resident in an alternate work site, must employ encryption mechanisms to ensure that this data may not be accessed if the computer is lost or stolen (see Physical Security of Computers, Electronic, and Removable Media in IRS Publication 1075.) When using a Department-owned computing device:

• Ensure access to computer screens is limited to only those having a valid need to or are authorized to view or access the information. Employees shall position computer monitors so the screen is not visible to the public.

• Ensure that display screens for all Department-owned or managed electronic computing devices (e.g., Department computers, tablets and smartphones) have a screen saver that automatically activates after no more than 15 minutes of inactivity.

• Do not leave the vicinity of a workstation without enabling the screen saver, locking the workstation or logging off.

Mobile Devices Mobile devices include both mobile computing and mobile storage devices. All mobile devices must have encryption technology enabled, if it is available, so that all content resides encrypted. Mobile devices should not be used for long-term storage of Department information. Department information should be removed from the mobile device and copied to the Department’s network when no longer needed for daily work. NOTE: The Child Support Program does not allow FTI to be stored on mobile storage devices.

Remote Access Remote access means users access the Department’s technology resources through the internet. Remote access also presents a significant threat to the Department’s confidential information. The below procedures should be followed when accessing the Department’s technology resources through the internet:

• Avoid using Department technology resources at external Wi-Fi hot spots to minimize the risk to the Department’s information resources. Examples of external Wi-Fi hot spots include coffee shops, libraries, airports, hotels, universities and other public places.

7

• Always assume a Wi-Fi hot spot is not secure. Most Wi-Fi hot spots do not encrypt the information sent over the internet and are not secure.

• If you must use the internet from an external Wi-Fi hot spot using a Department technology resource, only use secure websites (HTTPS).

• Never open a second browser session to access any other website while logged in to https://mydor.state.fl.us. Doing so will allow access to the Department network through the internet.

• Disable any wireless connection whenever you are working solely from the hard drive and are not using the internet. Enabled wireless connections may allow unauthorized personnel to access the computer through the internet.

NOTE: Federal regulations prohibit accessing Child Support Information in public areas without appropriate encryption. Electronic Mail (email) Requirements for Federal Tax Information FTI must never be emailed. If FTI is inadvertently sent through email, immediately report the incident as outlined in the incident response procedures, below. Electronic Mail (email) Requirements for Other Confidential Information The Department’s email system may be used to send confidential state information to authorized recipients within and outside the Department’s network. When sending confidential state information to authorized recipients outside the Department (e.g., authorized employees of other state agencies, customers or contractors), the message must be encrypted. Never put confidential information in the subject line of an out-bound external email. The secure email does not encrypt the subject line. Never use a personal email account to send or receive confidential information. Exceptions to the encryption requirement

• Section 213.053, F.S., permits taxpayers to authorize staff to communicate with them through unencrypted email. Prior to sending any information through unsecure email, employees must request and receive a written authorization (email or letter) from the taxpayer indicating that the taxpayer requests communications be accomplished through unencrypted email. Employees will ensure a copy of this authorization is maintained.

• Rule 2.520, Florida Rules of Judicial Administration, requires that all documents filed in any court be filed via electronic transmission. The implementation of the electronic service of process requirement may result in a limited amount of confidential information being sent through un-secure internet email.

Confidential Information and Physical Security Review Requirements The Confidential Incident Response and Disclosure Officer is responsible for conducting confidential information and physical security reviews of Department facilities and data resource centers.

8

Reviews of facilities will be conducted at least once every three years. Reviews of all contractors with access to FTI, consolidated data centers, off-site storage facilities, and headquarters buildings will be conducted once every eighteen months. The focus of the security reviews is on the following areas:

• Outer Perimeter

• Building Exterior

• Facility Infrastructure

• Lobby and Reception Area

• Interview Rooms (if equipped)

• Work Areas

• Mail Rooms

• Security of Confidential Information

• Emergency Management Policies and Procedures

• Security Policies and Procedures

All findings and observations are reported to the appropriate program or office director. All findings are required to be addressed and corrected and will be reported on every 180 days until corrected. Observations are informational items that do not require a Program response.

D. Data Disclosure FTI may not be disclosed by employees in any manner or form except as authorized in IRS Publication 1075. FTI must never be provided in response to a public records request. Confidential state information may be released only as authorized in applicable Florida Statutes, administrative rules, federal laws or regulations. Revenue ’s List of Confidential Information is a detailed reference tool that helps determine what information is confidential and whether it may be disclosed in response to a public records request. Requests for confidential data may be received in person, in writing, by telephone, by email or other electronic transmission. When responding to a request for confidential information always include a statement which advises the requester of the statute allowing disclosure to that specific requestor/individual and the fact that the information is confidential. Example: “This CONFIDENTIAL information is being provided as allowed by s. 213.053 (8)(c), F.S.” Procedures for Responding to In-Person Requests for Confidential Information Employees must verify that customers who visit Department offices to make a request for confidential information are authorized recipients of the requested confidential information before release or discussion. Verification can be accomplished by having the customer provide a photo identification card or responding to verification questions. For example, a picture identification such as a driver's license, personal identification card, or similar means can be used to confirm the person's identity. Verification questions are those that only the customer would have the answer such as Social Security Number or date of birth.

9

Tax Information If a person requesting confidential information claims to be the taxpayer or officer of a corporation and is requesting their own tax information, employees must:

• Verify the signature of the taxpayer or officer of the corporation by comparing with a signature on a return or form previously filed with the Department, if possible, or compare the signature with documents filed with the Department of State on sunbiz.org.

If a registered agent is requesting confidential information, they must present a current Power of Attorney or be an officer of the business themselves. Before releasing confidential information, employees must:

• Verify the signature by comparing with a signature on a return or form previously filed with the Department, if possible, or compare the signature with documents filed with the Department of State on sunbiz.org.

If a taxpayer’s representative is requesting confidential information, they must present a current Power of Attorney or written notarized authorization. Before releasing confidential information, employees must:

• Verify the signature by comparing with a signature on a return or form previously filed with the Department, if possible, or compare the signature with documents filed with the Department of State on sunbiz.org.

When completing requests for confidential information, General Tax Administration employees shall note the following information in the SUNTAX database in the taxpayer’s file:

• Purpose.

• Date.

• Means of identification provided.

• The name of the Department employee who verified that the customer was authorized to receive the information.

Child Support Information Procedures to respond to in-person requests for confidential child support information can be found in Child Support Knowledge Central (Confidentiality – Disclosure of Information). Other Confidential Information Procedures to respond to in-person requests for all other confidential information can be found in the Department’s Public Records Policy and Procedures for Responding to Public Records Requests. Procedures for Responding to Written Requests for Confidential Information Employees may verify the identity of a requester by comparing the information provided in the written request with information contained in the Department’s case file or customer file (e.g., name, address, date of birth, Social Security Number and signature on the request). Tax Information A taxpayer, a taxpayer’s authorized representative, or the personal representative of an estate may request a copy of the taxpayer’s returns by submitting a completed and signed Request for Copy of Tax Return (Form DR-841).

10

When a written request is received from a business, employees must verify the company or owner name with information in the tax database or on a filed tax return.

• Compare the signature on the request with the signature on a return or form previously filed with the Department, if possible; or,

• Verify through the Department of State, sunbiz.org, that the request is signed by an authorized officer of the corporation or partner of a partnership.

When a written request is received from a taxpayer’s representative, they must provide a written notarized authorization or current Power of Attorney. Before releasing confidential information, employees must:

• Compare the signature on the request with the signature on a return or form previously filed with the Department, if possible.

Child Support Information Procedures to respond to written requests for confidential child support information can be found in Child Support Knowledge Central (Confidentiality – Disclosure of Information). Other Confidential Information Procedures to respond to written requests for all other confidential information can be found in the Department’s Public Records Policy and Procedures for Responding to Public Records Requests. Procedures for Responding to Telephone Requests for Confidential Information Employees must verify the identity of the individual requesting the information and ensure they are an authorized recipient prior to discussing confidential information on the telephone. Tax Information

• Employees may verify identity by having the person on the phone provide identifying information such as: o Name o Date of birth o Address o Business partner number or federal employee identification number. o Compare the information received with the information in the applicable case file.

• Persons who claim to be taxpayers will be advised that the requested information must be researched for a return call.

• The return telephone number must be verified as belonging to the taxpayer prior to the disclosure of any state tax information.

Child Support Information Procedures to respond to telephone requests for confidential child support information can be found in in Child Support Knowledge Central (Confidentiality – Disclosure of Information). Other Confidential Information Procedures to respond to telephone requests for all other confidential information can be found in the Department’s Public Records Policy and Procedures for Responding to Public Records Requests.

11

Information Sharing Between Department Programs General tax or property tax information may be shared with child support only as needed in the administration of the Title IV-D, Child Support Program (CSP). Child support information may not be shared or used for tax administration purposes. Federal law does not allow general tax or property tax to access or use child support information. Information Sharing with Other Agencies State and federal laws, rules, and regulations allow the Department to share certain confidential information with certain agencies when required to perform their official duties. The Department’s procedures for sharing confidential state information are based on the type of information being requested. State Tax Information Requests from federal, state, local or other governmental agencies, for property, sales, communications services and corporate tax information should be routed through the Confidential Incident Response and Disclosure Officer (Disclosure Officer). The Disclosure Officer maintains information sharing agreements and authorization lists that identify personnel who are authorized to request and receive confidential tax information for these agencies. Route requests from agencies participating in the Registration Information Sharing and Exchange (RISE) program through the RISE Coordinator in the General Tax Administration (GTA) program. The GTA records custodian receives requests for re-employment tax information, subpoenas, and court orders for tax records. Child Support Information Route requests from other agencies for child support information through appropriate CSP contract management staff or business process owners within child support. Personnel Information Route requests from other agencies for workforce information through the Office of Workforce Management. Disclosure Exceptions Generally, confidential tax information cannot be disclosed to outside parties; however, there are exceptions where the information may be released. Some of these exceptions, along with the statutory references allowing the disclosure are listed below. Motor and Other Fuels Taxes Generally motor and other fuel tax information is not confidential. However, motor and other fuel tax information concerning audits in progress and pending investigations by the Department or Florida Department of Law Enforcement are confidential and/or exempt from disclosure as a public record. Refer to Section 206.27, F.S., and contact the Disclosure Officer for guidance before disclosing confidential motor and other fuel tax information.

12

Statistical Information Confidential state tax information may be used to generate statistical data for publication, or in response to a public records request in accordance with Section 213.053, F.S., as long as the statistical information cannot be used to identify or disclose confidential information related to a specific taxpayer.

• Statistical tabulations with cells containing data pertaining to fewer than three taxpayers may not be released.

• Statistical tabulations prepared for geographic areas below the county level may not be released with cells containing data pertaining to fewer than ten taxpayers.

Sales and Use Tax Certificates Section 213.053, F.S., allows disclosure of the following:

• Whether a specified person holds a valid certificate.

• Whether a specified certificate number is valid, has been canceled, or is inactive or invalid, and the name of the holder of the certificate.

Secondhand Dealer/Metals Recycler Registration Sections 213.053, 538.09 and 538.25, F.S., allow employees to disclose the following to a law enforcement official:

• Whether a specified person holds a valid certificate (section 213.053, F.S.).

• Whether a specified certificate number is valid, has been canceled, or is inactive or invalid and the name of the holder of the certificate (section 213.053, F.S.).

• The name and address of any secondhand dealer registered to do business within the official’s jurisdiction (section 538.09, F.S.).

• The name and address of any secondary metals recycler registered to do business within the official’s jurisdiction (section 538.25, F.S.).

Employees should contact the Disclosure Officer should they have questions regarding a request.

E. Data Disposal All public records, including those that are confidential, must be destroyed in compliance with the retention schedules in the General Schedule for State and Local Government Agencies (GS1-SL) or the Department’s specific records retention schedules. The Record Management Liaison Officer (RMLO) must review and approve disposition/destruction requests for the Department’s public records, including confidential records. All records must be destroyed in compliance with appropriate laws, rules, policies and procedures. Rules 1B-24.003 and 74-2, F.A.C., provide specific guidance for the destruction of confidential public records. Federal Tax Information (FTI) FTI has no specific retention period and should be destroyed as soon as it has served its purpose. Both the IRS and the Department’s specific records retention schedule require that a record of any requests for FTI and the record of the destruction of the FTI be maintained for five years after the request or destruction. All FTI must be destroyed in compliance with IRS Publication 1075, Section 8.0.

• If a contract shred company is utilized, the required safeguard language contained in IRS Publication 1075 must be placed in the contract.

13

• The destruction must be documented/logged and witnessed by a Department employee. Disposal of Confidential State Information in Printed Form (Paper Records) Confidential information in printed form must be destroyed by placing the information in a shred bin which meets the Department’s standard requirements. The Department contracts with a company to handle the shredding of confidential documents in accordance with the Department’s shredding standards for contractors. Department shredders should not be used to destroy confidential paper documents. Confidential documents should never be placed in a recycle bin or any other trash receptacle that is not authorized for destruction of confidential information. Disposal of Electronic Media Electronic devices (e.g., copiers, scanners, facsimile machines, compact discs, hard drives, flash drives, servers, etc.) must be sanitized in a manner that confidential or exempt information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or reconstruction. Electronic devices that leave the control of a unit must have all data on the device purged or destroyed prior to transfer. Disposal of Other Non-Paper Media Other non-paper media containing confidential information (e.g., audio tapes, video tapes, microforms, photographic films, etc.) must be destroyed using appropriate destruction methods such as pulverizing, shredding and chemical decomposition/recycling.

F. Information Security Incident Response Confidential Federal Parent Locator Service (FPLS) or Confidential State Information Employees discovering an information security incident or suspected information security incident involving confidential FPLS or confidential state information should immediately report the incident as follows:

• Advise their supervisor who will help with appropriate reporting

• Submit a report using Ethics Link (Do not include confidential information in the Ethics Link report) The Disclosure Officer will notify as appropriate, take necessary actions to respond to the incident, and determine if further investigation is required, or if the incident can be closed upon notification that an information security incident involving potential unauthorized disclosure, use, or breach of confidential FPLS or confidential state information has taken place. Federal Tax Information (FTI) Local, state, and federal agencies that receive FTI must immediately contact the U.S. Department of Treasury Inspector General for Tax Administration (TIGTA) upon discovering a possible improper access, inspection or disclosure of FTI, including data breaches and security incidents. Any employee who discovers a possible unauthorized access violation or unauthorized disclosure of FTI must report the incident immediately. Incidents can be reported in any of the following ways:

• Notify your supervisor who will help you report the incident.

• Use Ethics Link (Do not include FTI in the Ethics Link Report).

14

• Report the incident directly to the local Field Division of the Treasury Inspector General for Tax Administration (TIGTA) at 1-470-639-3792. If you are unable to contact the local TIGTA Field Division call 1-800-589-3718. When reporting directly to TIGTA, you must do so within 24 hours of discovering the possible violation. o After reporting to TIGTA, you should also report the incident to the Disclosure Officer using

Ethics Link.

G. Department Responsibilities The Department will do the following:

• Protect confidential information from unauthorized use, access and disclosure through appropriate administrative, technical and physical safeguards.

• Use confidential information only for official purposes.

• Immediately and appropriately respond to incidents involving the unauthorized access, use, loss, disclosure, modification or destruction of confidential information.

• Ensure employees in each program, executive office, and business process within the Department understand the proper classifications of data or information for which they are responsible and the procedures to safeguard the data or information.

H. Individual Duties and Responsibilities Program Directors and Executive Office Directors will:

• Ensure sufficient safeguards are employed within each director's area of responsibility to protect confidential information from unauthorized use or disclosure.

• Issue program/office specific procedures as needed, to ensure compliance with the Department’s Confidential Information policy and procedures, and state and federal laws and regulations related to the protection of confidential information.

• Ensure employees comply with federal and state laws, rules, regulations, policies, and procedures governing confidentiality and unauthorized use, access or disclosure of tax, child support, and confidential administrative and personal information.

• Designate and maintain a list of information owners within the program or office. Provide the list of information owners to the Confidential Incident Response and Disclosure Officer no later than June 30 of each year.

• Ensure information owners within the program are provided sufficient administrative, technical, and physical resources to comply with the Department’s Confidential Information policy and procedures.

Office of the General Counsel will:

• Provide legal review and assistance for issues related to use, access or disclosure of confidential information.

• Serve in an advisory capacity for responses to incidents of unauthorized use, access or disclosure of confidential information.

Confidential Incident Response and Disclosure Officer will:

• Serve as the Department’s central point for coordination and responsibility of activities related to information sharing, confidentiality and safeguarding of confidential information.

• Develop and implement the Department’s confidential information program including policies, procedures, monitoring, maintenance, enforcement and training.

• Maintain Revenue’s Reference List of Confidential Information.

15

• Maintain a list of designated information owners as reported and updated by program directors and executive office directors no later than June 30 of each year.

• Comply with the Department’s Open Government requirements, while protecting confidential information from unauthorized access, use or disclosure.

• Coordinate intake of and response to reports of unauthorized disclosure, use, access or breach of confidential information.

• Serve as the Department’s Federal and State Coordinator for sharing of confidential information.

• Develop information sharing agreements and maintain liaison with federal, state, and local agencies concerning the exchange of tax information.

• Conduct confidential information and physical security reviews of Department facilities and data resource centers.

Information Security Manager will:

• Administer the Department’s information security program so that controls are in place to protect the confidentiality of Department information resources.

• Coordinate the development and implementation of the Department’s information security awareness program.

• Coordinate the Department’s Computer Security Incident Response Team (CSIRT).

• Oversee the Department’s information technology security monitoring and reporting activities. Records Management Liaison Officer (RMLO) will:

• Serve as Department of Revenue’s liaison to the Department of State pursuant to Section 257.36, Florida Statutes.

• Review and approve disposition requests for Department records, including confidential records.

• Ensure the Department’s policies and procedures for destroying confidential records meet the requirements of Rules 1B-24.003 and 74-2, Florida Administrative Code.

Open Government Officer will:

• Provide guidance and assistance regarding Open Government or public records requests that may involve confidential information.

Information Owners will:

• Classify information within their area of responsibility as confidential or non-confidential.

• Authorize and maintain documentation of users authorized to access confidential information within their area of responsibility.

• Ensure access to confidential information within their area of responsibility is terminated when it is deemed no longer necessary.

• Document and communicate retention schedules for confidential information within their area of responsibility.

Supervisors will:

• Ensure employees understand the Department’s Confidential Information policy and procedures and how to apply the information within their work areas.

• Ensure employees are able to identify confidential information within their work areas and understand its handling requirements.

16

• Ensure employees acknowledge annually their understanding of the Department’s Confidential Information policy and procedures and the criminal penalties for violating federal and state confidentiality laws.

• Ensure employees complete required training on information security awareness and protecting confidential information.

• Provide guidance to employees in reporting incidents involving the actual or suspected unauthorized access, use or disclosure of confidential information.

Employees will:

• Comply with the Department’s Confidential Information policy and procedures.

• Annually acknowledge understanding of the Department’s Confidential Information policy and procedures and the criminal penalties for violating federal and state confidentiality laws.

• Complete required training on information security awareness and protecting confidential information.

• Immediately report any actual or suspected unauthorized access, use, or disclosure of confidential information through their supervisor, Ethics Link or directly to the Disclosure Officer.

• Protect the confidentiality, integrity and availability of information generated, accessed, modified, transmitted or stored, regardless of the format, how it is created, or where it is stored.

• Be able to identify the classifications of data or information within their work area and understand the proper handling requirements.

• If unsure about the classification of data or information or its handling requirements, ask a supervisor, manager, the Confidential Incident and Response Officer or the Open Government Officer for guidance.

• Access confidential records only as required to perform assigned duties.

• Protect confidential information and not disclose or take confidential information with them when leaving employment with the Department.

Contract Managers will:

• Advise contractors of Department requirements concerning confidentiality and ensure these requirements are documented in the contract.

• Ensure contractors and contractors’ employees complete any required Department information security awareness training.

• Inform contractors of their responsibility to ensure their employees comply with Department’s requirements for confidential information.

Definitions • Access – The ability to examine tax, child support, personal information or other information

that is confidential by state or federal law.

• Analog line – A wire (cable) that carries an analog signal. Analog lines support standard phones, fax machines and modems.

• Authentication – The process of determining whether someone or something is, in fact, who or what it is declared to be, i.e., technical controls.

17

• Confidential child support information – Any information relating to a specified individual, or an individual who can be identified by reference to one or more factors specific to him or her, including but not limited to, the individual's Social Security Number, residential and mailing addresses, employment information and financial information. This includes most information contained in a child support case file.

• Confidential information – Information that is prohibited from disclosure under the provisions of applicable state or federal law.

• Department technology resources – Department-owned computer hardware, software, networks, devices, connections, applications and data.

• Disclosure – Making known to any person, in any manner whatsoever, tax, child support, personal, or other information that is confidential by state or federal law.

• Employees – For purposes of this policy and procedure, this term includes any Department career service, selected exempt service, senior management service, other personal services, contractors or contractors’ employees.

• Exempt information – Information, whether on paper or electronic format, the Department is not authorized to disclose under section 119.07(1), Florida Statutes.

• Federal Tax Information (FTI) – FTI is any federal tax return, or information from a federal tax return, provided directly to the Department by the IRS or through the Federal Office of Child Support Enforcement (OCSE). The information can be in either hard copy or electronic form.

• Immediate control – Within an area that allows the employee to instantly gain access to the information.

• Information owners – An individual or group with overall responsibility for identifying, classifying and protecting confidential information; responsible for the dissemination, maintenance, and destruction of confidential information in their area of responsibility.

• Information security incident – Any event resulting in the unauthorized access, use, loss, disclosure, disruption, modification, destruction, or theft of the Department’s information resources.

• Inspection – Any examination of tax, child support, personal information or other information that is confidential by state or federal law.

• Logical access controls – Limit connections to computer networks, system files and data.

• Mobile computing device – A portable device that can process data (e.g., laptop, personal digital assistant, certain media players and cell phones).

• Mobile storage device – Portable data storage media including, but not limited to, external hard drives, thumb drives, floppy disks, recordable compact discs (CD-R/RW), recordable digital

18

videodiscs (DVD-R/RW), IPODs, media players, and cell phones or tape drives that may be easily attached to and detached from computing devices.

• Multi-function printer-copier-scanner-fax device (MFDs) – A device that has multiple functions such as a printer that also prints, makes copies, faxes and scans.

• Non-confidential – Any information or documents, regardless of format, that are available for public inspection and are not restricted from release under state or federal law.

• Personally-owned device – Any technology device that is purchased or owned by an individual and not issued by the Department or state.

• Public records – All documents, papers, letters, maps, books, tapes, photographs, films, sound recordings, data processing software or other material, regardless of the physical form, characteristics or means of transmission, made or received pursuant to law or ordinance or regarding the transaction of official business by any agency.

• Remote access – Any access to the Department’s network through a network, device, or medium that is not controlled by the Department (such as the internet, public phone line, wireless carriers or other external connectivity).

• Secured – Means that the facility, room, or container is designed to prohibit undetected access by an unauthorized person.

• State tax information – All records of the Department relative to particular taxpayers, including returns, return information, letters of advice, technical assistance advisements, large currency transaction reports and investigative reports. This does not include federal tax information furnished to the Department by the IRS (FTI).

Authority/Reference IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies Revenue’s Reference List of Confidential Information

Public Records Policy

Procedures for Responding to Public Records Requests Protection and Use of Information Technology Resources Policy Protection and Use of Information Technology Resources Procedures Standards of Conduct Rule 1B-24.003, Florida Administrative Code

Rule 12-22, Florida Administrative Code

Rule 12-3.007, Florida Administrative Code

Rule 74-2, Florida Administrative Code

Section 20.05, Florida Statutes

Section 20.21, Florida Statutes Section 119.071, Florida Statutes

Section 206.27, Florida Statutes

Section 213.053, Florida Statutes

19

Section 257.36, Florida Statutes

Section 409.2579, Florida Statutes

Section 538.09, Florida Statutes

Section 538.25, Florida Statutes

Policy Owner General Counsel Office of the General Counsel Tallahassee, Florida

Key Contact Confidential Incident Response and Disclosure Officer Office of the General Counsel Tallahassee, Florida (850) 717-7748

20

Date Signed and Revision History Effective Date Explanation

10/19/2018 Executive Director approval on file with the Office of Workforce

Management

Origination Date Explanation

08/01/1997 Revised

Last Reviewed Date Explanation

01/03/2011 Updated to new policy format; incorporated AEIT standards for confidentiality

09/2013 Revised – Biennial Review

10/2018 Updated to new procedure format. Revisions include:

• Expanded electronic requirements section to include personal devices, mobile devices and remote access.

• Each program director and Executive Program office director provides a list of information owners to Office of General Counsel annually.