DOGE wants access to your tax and Social Security data. These two laws are supposed to protect you

By Jeanne Sahadi, CNN

(CNN) — Reports of the Department of Government Efficiency’s so-called “tech bros” accessing federal systems that hold vast troves of Americans’ personal data have raised many questions about whether they can legally see – never mind copy, alter or share – such sensitive details on hundreds of millions of people.

Efforts by DOGE to get access to the reams of “personally identifiable information” (PII) on individuals housed at the IRS, Social Security Administration, Office of Personnel Management, Department of Education and other federal agencies – not to mention the federal payments system at Treasury – are now the subject more than a dozen lawsuits. (And in at least two, judges have granted temporary restraining orders on DOGE getting access to some sensitive data.)

With very few exceptions, much remains unclear about DOGE’s activities and aims at each agency with respect to Americans’ personal data, and what, if any, security vetting (e.g., background checks, finger-printing) DOGE members have undergone.

The courts will have to decide whether what DOGE is doing is legal. In determining that, they will have to assess whether any of several laws designed to protect your personal data at federal agencies and to protect the integrity of their systems have been violated. Two of the most frequently cited are the Privacy Act of 1974 and Section 6103 of the Internal Revenue Code.

The Privacy Act of 1974

The Privacy Act “is designed to prevent government from misusing information about individuals in government files,” said DC-based attorney Cornish Hitchcock, who specializes in matters pertaining to the Privacy Act and the Freedom of Information Act.

It was created in the wake of US involvement in the Vietnam War, during which time the FBI had been compiling dossiers on anti-war activists. And it came after the Watergate tapes revealed that then-President Richard Nixon wanted to weaponize the IRS and have an IRS commissioner he chose “go after our enemies and not go after our friends.”

“The animating principle of the Privacy Act is to provide citizens with information about what systems exist and about the data the government collects on them,” said attorney Alan Butler, executive director of the Electronic Privacy Information Center (EPIC). “There should be no secret databases. It’s a transparency principle.”

More concretely, “it requires federal agencies to take care of your data and not willfully or negligently provide it to others, (and) to make sure their systems are secure,” said attorney Gary Mason, who represented plaintiffs in a case several years ago when the personal information of millions of former and current federal employees was exposed in a data breach at the Office of Personnel Management.

It’s also about instilling trust that “when government uses systems to process people’s information, it ensures the accuracy and integrity of that data. You’re entrusting your personal information to the government. And you trust that they will keep it in confidence and use it only for purposes that are necessary and limited to those purposes,” Butler added.

Accuracy is critical because your personal information can be used to make a decision that affects you – such as whether or not you qualify to receive a benefit. The Privacy Act also gives you the right to review and amend your personal data kept on federal agency systems, and it requires you to give your written consent for anyone else to see your data, unless the sharing of that data falls under a statutory exception to the law.

Hitchcock noted that a federal agency may have a data-sharing arrangement with another federal or state agency to advance their work on given routine issues – for example, tax fraud prosecutions or personnel matters. But that “routine use” must be explained and published in the Federal Register, and before it is finalized there must be time granted for public comment before the routine use is finalized.

Should DOGE use data from federal agency systems to create a new system without going through proper channels, that may be yet another strike. “It’s one thing if they improperly access the existing systems. But if they extract the data and put it in a new system – that (can be) its own violation of the Privacy Act,” Butler said.

Section 6103

Section 6103 was created under the Tax Reform Act of 1976, and like the Privacy Act, was intended as a counter to Nixon’s stated desire for presidents to be able to weaponize the IRS.

“The Tax Reform Act of 1976 abolished the authority of the President to make rules for release of tax information,” information privacy expert Paul Schwartz noted in a 2008 article in the National Tax Journal.

More broadly, “(Section 6103) severely limits the ability of the IRS to disclose your information,” Hitchcock said. “The need for protecting privacy is drilled into every IRS employee at an early stage.”

Indeed, in the Taxpayer Bill of Rights, the IRS notes that “Taxpayers have the right to expect that any information they provide to the IRS will not be disclosed unless authorized by the taxpayer or by law. Taxpayers have the right to expect appropriate action will be taken against employees, return preparers, and others who wrongfully use or disclose taxpayer return information.”

But the IRS also lays out the exceptions under 6103 in which your tax information may be shared. The IRS may, for example, share some of your tax data “with law enforcement agencies for investigation and prosecution of non-tax criminal laws” and with the Social Security Administration for matters pertaining to “Social Security and Medicare tax liability.”

Restrictions on disclosure under Section 6103 don’t apply only at the IRS but at any federal agency where your tax data is stored (e.g., at the Social Security Administration).

Violating Section 6103 carries civil and criminal penalties – something everyone was reminded of when an IRS contractor pled guilty to sharing tax data on thousands of the wealthiest Americans, including Musk and Trump, with two news outlets. His sentence: Five years in prison.

The-CNN-Wire
™ & © 2025 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.