Narrative Statement Template on a New System of Records Notice (SORN) Help
FORMATTING: Do not use any tabs, bolding, underscoring, or italicizations in the New SORN template. Font should be Courier New size 12.
1. System identifier and name:
The system name should adequately reflect and describe the categories of individuals who you are collecting/maintaining information on, for example, “Soldier Fitness Tracker System”.
The System identifier will be assigned by the Army Privacy Office for new SORNs.
- Provide the name of the system of records.
2. Responsible Official:
- What is the name and title of the official who can best answer questions regarding this system of records?
- What is the Official’s current mailing address (include nine digit zip code)?
- What is the Official’s telephone number?
3. Purpose of establishing the system:
Start with this language: “The Department of the Army is proposing to establish a new system of records that will be used to ________” This should read the same as in the “Purpose(s)” section in the new System of Records Notice.
Describe the purpose of the system and explain why the program collects these particular records.
- Why is the Army collecting the information in the first place?
- What does the Army do with the information it is collecting? How is it used in the course of DOD business?
- How does the information serve the Army’s objectives?
4. Authority for maintenance of the system
This should read the same as in the new System of Records Notice.
What specific legal authority (citation and descriptive title) requires your Activity to perform a function that makes the creation and use of the system of records necessary?NOTE:
- Do not list the Privacy Act in this section (OMB, Privacy Act Implementation, Guidelines and Responsibilities, 40 F.R. 28962 (July 9, 1975).
- A statute, Executive Order (E.O.) of the President, and/or Army regulations may be cited as the authority for maintenance of the system. Whenever possible, cite the specific provisions of the statue or E.O.
- When Activities uses a general statutory grant of authority statue (“internal housekeeping”) as the primary authority, the regulation/directive/instruction implementing the statue within the DOD Component should also be identified.
- When collecting the Social Security Number (SSN), always place “E.O. 9397 (SSN), as amended” in your authority. This E.O. will never stand alone as an authority to collect and maintain information under the Privacy Act.
5. Agencies evaluation on the probable or potential effects on the privacy of individuals
- Insert any known or perceived adverse effects on the individual by maintaining this information.
- If none, insert the following language: “The Army reviewed the safeguards established for the system to ensure they are compliant with DOD requirements and are appropriate to the sensitivity of the information stored within the system.”
6. Is the system, in whole or in part, being maintained, collected, used or disseminated by a contractor?
- This answer is either “Yes” or “No.”
- If Yes, please ensure that the contract has the necessary FAR clauses (subpart 24.1).
7. Steps taken to minimize risk of unauthorized access:
- Briefly describe the steps taken to minimize the risk of unauthorized access. System owners must perform a risk assessment upon establishing a new system of records.
Make sure that a risk assessment has been performed for all new system of records.
Note: Defense Privacy, Civil Liberties, and Transparency Division (DPCLTD) does not collect risk assessments.
Sample standard language:
“Safeguard records in this system according to applicable rules and policies, including all applicable Department of the Army automated systems security and access polices. Access to computerized data is restricted by use of Common Access Cards (CACs) and is accessible only by users with an authorized account. The system and electronic backups are maintained in controlled facilities that employ physical restrictions and safeguards such as security guards, identification badges, key cards, and locks.”
8. Routine use compatibility
This should read the same as in the new System of Records Notice.
Routine uses apply to information sharing external to the Department of Defense (DOD).
The term “routine use” is defined, with respect to the disclosure of a record, as “the use of such record for a purpose which is compatible with the purpose for which the record was collected.”
Routine uses ensure that the public receives adequate notice of the planned uses of the information in the system of records.
Provide a detailed list of what the agency does or might do with the information it collects on an individual. Each routine use should identify:
- Which non-DOD Agencies and entities (including private sector entities) will routinely be provided access to the data or will be given the data upon request?
- Which specific element within each listed agency/entity may information be disclosed to?
- What type of information is being disclosed to each listed agency/entity?
- Why is the information being disclosed to each of the agencies/entities listed?
Routine uses should be written as:
To… (user) … to … (uses – what they do with the information) … for the purposes of … (objective).
Example: To the Department of Veteran Affairs (DVA) to provide Uniformed Service personnel and pay data for present and former Uniformed Service personnel for the purpose of evaluating use of veterans’ benefits, validating benefit eligibility and maintaining the health and well-being of veterans and their family members.
- Courts have held that if an agency uses a record in a way that was not listed as a routine use that use may not hold up in court.
- General statements such as “to other Federal Agencies as required” or “to any other appropriate Federal Agency” will not be accepted.
Make sure the language below is included in this section:
Keep in mind the following rule:
If your routine use clause shows “None”, and you get a request from another non-DOD entity for access to the records, you must refuse the request, no matter how valid the request or how important it is that you comply.
“In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, as amended, these records contained therein may specifically be disclosed outside the DOD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
The DOD Blanket Routine Uses set forth at the beginning of the Army's compilation of systems of records notices may apply to this system. The complete list of DOD Blanket Routine Uses can be found online at: http://dpcld.defense.gov/Privacy/SORNsIndex/
If collecting medical records also include this language; “The DOD Health Information Privacy Regulation (DOD 6025.18-R) issued pursuant to the Health Insurance Portability and Accountability Act of 1996, applies to most such health information. DOD 6025.18-R may place additional procedural requirements on the uses and disclosures of such information beyond those in the Privacy Act of 1974 or mentioned in this system of records notice.”
9. OMB information collection requirements:
This is required when you are collecting information from the public to be maintained in this system of records. Contact the Army Information Management Control Office if you have any questions.
Provide title of any information collection required (e.g., forms and numbers, surveys, interview etc.) contained in the system of records.
- OMB collection required: Yes/No
- If Yes provide the information below:
- OMB Control Number (if approved):
- Title of collection if other than #10:
- Date Approved or Submitted:
- Expiration Date (if approved):
If collecting on members of the public and no OMB approval is required, provide an explanation and/or state the applicable exception(s).
10. Name of IT System:
- List all the systems, including feeder systems associated with the collection.
- State none if paper records only.