New System of Records Notice (SORN) Template Help

FORMATTING: Do not use any tabs, bolding, underscoring, or italicizations in the New SORN template. Font should be Courier New size 12.

New SORN Template Help

System Identifier

This will be assigned by the Army Privacy Office for new SORNs.

System Name

This is the name of the system of records.

NOTE:
Choosing the right system name is very important because it is the first indication to the public what the system of records is all about. The system name must indicate the general nature of the system of records and if possible, the general category of individuals to whom it pertains.
  • The system name should adequately reflect and describe the categories of individuals who you are collecting/maintaining information on, for example, “Soldier Fitness Tracker System.”
  • The system name should not be overly long. DOD 5400.11-R recommends that the system name not be more than 55 characters.
  • Acronyms following the system name should be avoided.
  • DOD places the last Federal Register publication date of the system of records notice after the system name. This citation is not part of the system name.

System Location

Which locations/or sites use the system?

  • Include the locations of the main servers and/or central file, input or output terminals at separate locations.
  • Are contractor sites included? If yes, identify them as well.
  • What are the complete mailing addresses including the 9-digit zip codes of each location?
NOTE:
  • Post Office boxes are not locations.
  • For geographically or organizationally decentralized system locations, indicate that the official mailing addresses are published as an appendix to the Department of the Army’s compilation of System of Records notices. If no address directory is used, the complete mailing address of each location where a portion of the record system is maintained must appear in this caption or give the mailing address of who can provide a complete listing of locations.
  • Do not use acronyms in addresses unless they are officially part of the U.S. Postal mailing address.

Categories of Individuals Covered by the System

Which individuals can expect to find records about themselves in the system?  Examples: applicants? employees? contractors? retirees? etc..

NOTE:
  • For purposes of the Privacy Act, an individual is defined as a living person who is a citizen of the U.S. or an alien lawfully admitted for permanent residence. Business - corporations, partnerships, sole proprietorships, commercial entities, and professional groups are not “individuals.”
  • Avoid using broad descriptions like “all Army personnel” unless that is truly accurate. Use descriptions such as: Army civilian employees; contractors; active duty services personnel; and civilian employees from other federal agencies.
  • Do NOT use “may include…” or “but not limited to…”
  • If your databases or files cover individuals in other Federal Agencies, include that fact.

Categories of Records in the System

What types of individually identified information is collected/maintained by the system? Example, if the system collects full name, date of birth, Social Security Number (SSN), DOD ID number, patient medical history, loan applications, curriculum vitae, laboratory test results, etc., each of those data elements should be listed in this section.

NOTE:
If your system of records notice covers a database, it is a good idea to get a print out of the data to see all the records being maintained.

Authority for Maintenance of the System

What specific legal authority (citation and descriptive title) requires your Activity to perform a function that makes the creation and use of the system of records necessary?

NOTE:
  • Do not list the Privacy Act in this section (OMB, Privacy Act Implementation, Guidelines and Responsibilities, 40 F.R. 28962 (July 9, 1975).
  • A statute, Executive Order (E.O.) of the President, and/or Army regulations may be cited as the authority for maintenance of the system. Whenever possible, cite the specific provisions of the statue or E.O.
  • When Activities uses a general statutory grant of authority statue (“internal housekeeping”) as the primary authority, the regulation/directive/instruction implementing the statue within the DOD Component should also be identified.
  • When collecting the Social Security Number (SSN), always place “E.O. 9397 (SSN), as amended” in your authority. This E.O. will never stand alone as an authority to collect and maintain information under the Privacy Act.

Purpose

Describe the purpose of the system and explain why the program collects these particular records.

When a new purpose is required, the system of records notice will need to be amended or altered.
  • Why is the Army collecting the information in the first place?
  • What does the Army do with the information it is collecting? How is it used in the course of DOD business?
  • How does the information serve the Army’s objectives?

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

Routine uses apply to information sharing external to the Department of Defense (DOD). The term “routine use” is defined, with respect to the disclosure of a record, as “the use of such record for a purpose which is compatible with the purpose for which the record was collected.” Routine uses ensure that the public receives adequate notice of the planned uses of the information in the system of records.

Examples of DOD Blanket Routine Uses.

Provide a detailed list of what the agency does or might do with the information it collects on an individual.  Each routine use should identify:

  • Which non-DOD Agencies and entities (including private sector entities) will routinely be provided access to the data or will be given the data upon request?
  • Which specific element within each listed agency/entity may information be disclosed to?
  • What type of information is being disclosed to each listed agency/entity?
  • Why is the information being disclosed to each of the agencies/entities listed?

Routine uses should be written as:

To… (user) … to … (uses – what they do with the information) … for the purposes of … (objective).

Example: To the Department of Veteran Affairs (DVA) to provide Uniformed Service personnel and pay data for present and former Uniformed Service personnel for the purpose of evaluating use of veterans’ benefits, validating benefit eligibility and maintaining the health and well-being of veterans and their family members.

NOTE:
  • Courts have held that if an agency uses a record in a way that was not listed as a routine use that use may not hold up in court.
  • General statements such as “to other Federal Agencies as required” or “to any other appropriate Federal Agency” will not be accepted.

Make sure the language below is included in this section:

Keep in mind the following rule: If your routine use clause shows “None”, and you get a request from another non-DOD entity for access to the records, you must refuse the request, no matter how valid the request or how important it is that you comply.

“In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, as amended, these records contained therein may specifically be disclosed outside the DOD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

The DOD Blanket Routine Uses set forth at the beginning of the Army's compilation of systems of records notices may apply to this system. The complete list of DOD Blanket Routine Uses can be found online at: http://dpcld.defense.
gov/Privacy/SORNsIndex/BlanketRoutineUses.aspx

If collecting medical records also include this language; “The DOD Health Information Privacy Regulation (DOD 6025.18-R) issued pursuant to the Health Insurance Portability and Accountability Act of 1996, applies to most such health information. DOD 6025.18-R may place additional procedural requirements on the uses and disclosures of such information beyond those in the Privacy Act of 1974 or mentioned in this system of records notice.”

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

Storage:

Describe the manner and state the medium(s) in which the records are stored/maintained:

Storage does not refer to the container or facility in which the records are kept.
  • Are the records hard copy or electronic?
  • Are the records stored in a locked/unlocked metal file cabinets, in file folders and/or magnetic, optical, disks, magnetic tapes, electronic media etc.
  • How does the information serve the Army’s objectives?
NOTE:
  • If information is stored on backups in a different format, note that here.

Retrievability:

Describe how an individual’s records are retrieved from the system, example: “by name”, “by SSN”, “by name and SSN” or other unique personal identifier associated with the individual as listed in the Categories of Records above.

NOTE:
  • This includes unique identifiers assigned by the system itself.

Do not describe safeguards in such detail as to compromise system security.

Safeguards:

How are the records protected? Describe all measures currently in place to ensure that the records are not accessed or disclosed in an unauthorized manner. Identify all measures such as safes, vaults, locked cabinets or rooms, guards, visitor registers, personnel screening, or computer “fail-safe” systems software.

  • Start with describing the facility/building safeguards, then the room, then the computer/file cabinet. Then indicate the personnel getting access to the information.
  • Which categories of employees are authorized to have access to the records?
  • How is access limited to the records, example: to those with certain clearances, general nondisclosure obligations of employees, restrictions on transmittal of records from the system, electronic data encryption, etc.

Sample language for this section:

“Automated files are password protected and in compliance with the applicable laws and regulations. Paper records in file cabinets are accessible only to authorized personnel who are properly instructed in the permissible use. The files are not accessible to the public or to persons within the command without an official need to know. File cabinets have locking capabilities and offices are locked during non-work hours. Army Activities and approved users ensure that electronic records collected and used are maintained in controlled areas accessible only to authorized personnel. Access to computerized data is restricted by use of Common Access Cards (CACs) and is accessible only by users with an authorized account. The system and electronic backups are maintained in controlled facilities that employ physical restrictions and safeguards such as security guards, identification badges, key cards, and locks.”

Retention and disposal:

Describe the retention and disposal schedule and provide the rationale for the period of time described:

  • How long are the records maintained in an active status?
  • When are they transferred to a Federal Records Center?
  • How long are they kept at the Federal Records Center?
  • When they are transferred to the National Archives or destroyed?
  • If records are eventually to be destroyed, state the method of destruction (e.g., shredding, burning, pulping, etc.)
NOTE:
  • Do not cite the disposition schedule regulation.

If your Agency has sent for NARA approval of the disposition schedule, you can use the following until the Agency does get an approved disposition: ”Disposition pending (treat records as permanent until the National Archives and Records Administration has approved the retention and disposition schedule).”


System manager(s) and address:

  • What is the name and title of the official who can best answer questions regarding the system?
  • What is the Official’s current mailing address (include nine digit zip code)?
  • For geographically separated or organizationally decentralized activities list the position, title and mailing addresses.

Notification procedure:

Describe how an individual can determine if a record in the system of records pertains to them. Provide the title and complete mailing address of the official to whom the request must be directed; the information the individual must provide in order for the Activity to respond to the request; and a description of any proof of identity required.

Fill in the highlighted portions on the SORN template:

“Individuals seeking to determine whether information about themselves is contained in this system should address written inquiries to [provide title and complete mailing address of the official to whom the request must be directed.]

Individual should provide his/her full name, current address and telephone number, case number and office symbol of Army element which furnished correspondence to the individual, other personnel identifying data that would assist in locating the records, and be signed.”

In addition, the requester must provide a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:

“If executed outside the United States: 'I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on [date]. [Signature].'

If executed within the United States, its territories, possessions, or commonwealths: 'I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on [date]. (Signature).”


Record access procedures:

Describe how an individual can review the record and/or obtain a copy of it. Provide the title and complete mailing of the official to whom the request for access must be directed; the information the individual must provide in order for the Activity to respond to the request; and a description of any proof of identity required.

Fill in the highlighted portions on the SORN template:

“Individuals seeking access to information about themselves contained in this system should address written inquiries to the [provide title and complete mailing address of the official to whom the request must be directed].

Individual should provide his/her full name, current address and telephone number, case number and office symbol of Army element which furnished correspondence to the individual, other personal identifying data that would assist in locating the records, and be signed.

In addition, the requester must provide a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:

If executed outside the United States: 'I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).'

If executed within the United States, its territories, possessions, or commonwealths: 'I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).'


Contesting record procedures:

This entry should read the same for all Army notices. Ensure that it reads the same as published in previous notices.

  • What is the Official’s current mailing address (include nine digit zip code)?

Make sure the language below remains in this section:

“The Army's rules for accessing records, and for contesting contents and appealing initial agency determinations are contained in Army Regulation 340-21; 32 CFR part 505; or may be obtained from the system manager.”


Record source categories:

Describe where the records in the system come from:

  • List the source of records and feeder systems, example: were they received from the individual, other federal agencies, or commercial entities etc.?

Exemptions claimed for the system:

Often the response here is “None,” because many systems do not meet the requirements to claim exemptions to the Privacy Act.

If no exemption has been established for the system, indicate "None".

If you believe an exemption applies to the system of records, please review the text of general exemptions (j) and specific exemptions (k) under Exemptions.

NOTE:
  • If exemptions are being claimed for this system it is recommended thatyour legal counsel review and approve the exemptions.

If any exemption rule has been established, state under which provision(s) of the Privacy Act it was established.

Make sure the language below remains in this section:

“An exemption rule has been promulgated in accordance with the requirements of 5 U.S.C. 553(b)(1), (2), and (3), (c) and (e) and published in 32 CFR part 505. For additional information contact the system manager.”