Frequently Asked Questions
The four basic objectives of the Privacy Act are: to restrict disclosure of personally identifiable information (PII) to those who have a need in the performance of their duties; to grant individuals access to records maintained on themselves; to permit individuals to gain access and to correct records that are not accurate, relevant, timely, or complete; and to establish a code of “fair information practices” to regulate the collection, maintenance, use, and dissemination of PII on individuals.
A citizen of the United States or an alien lawfully admitted for permanent residence.
The PRA and Privacy Act of 1974, as amended are two separate laws for different issues with separate requirements, but they are meant to work together. The PRA deals with approval to collect the information and the Privacy Act deals with maintaining and protecting the information. For more information, see PRA & the Privacy Act.”
The term “personally identifiable information” refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
Examples of PII
Safeguards are administrative, physical, or technical measures the Army takes to prevent authorized access to or disclosure of personally identifiable information (PII).
- Administrative Safeguards: Training personnel on information handling best practices.
- Physical Safeguards: Ensuring paper records and servers are secured and access is controlled.
- Technical Safeguards: Encrypting computers and emails, and requiring Common Access Cards for system access.
A Privacy Act Statement notifies individuals of the authority, purpose, and use of the collection, whether the information is mandatory or voluntary, and the effects of not providing all or any part of the requested information. In general the PAS includes the following:
- Authority: The Federal law or Executive Order that allows the collection.
- Purpose: How the collected information will be used.
- Routine Uses: Agency approved circumstances in which a record may be shared outside of the agency in accordance with the purpose for which the information was collected and maintained by the agency.
- Disclosure: Whether or not the disclosure of information is "Voluntary" or "Mandatory". It is only appropriate to cite "Mandatory" when a Federal Law or Executive Order of the President specifically imposes a requirement to furnish the information and provides a penalty for failure to do so. If furnishing information is a condition for granting a benefit or privilege voluntarily sought by the individual, it is voluntary for the individual to give the information.
A system of records is a group of records under the control of a Federal government agency from which personal information about an individual is retrieved by the name of the individual, or by some other identifying number, symbol, or other unique identifier.
Examples of personal information retrieved
A SORN is a legally binding public notification identifying and documenting the purpose for a system of records, the individuals covered by the system, the types of records in the system, and how the information is shared. SORNs generally describe the 'who, what, where, and why' of a system and describe the processes for individuals to access or contest the information being held on them in that system. SORNs are required by the Privacy Act of 1974 and are published in the Federal Register for a period to provide the public an opportunity for comment before the system data collection (paper based or electronic) is started. A SORN is only required if the information in a system of records is actually retrieved by a personal identifier. For a list of published Army SORNs, please click here.
A SORN is required when all of the following apply:
- Records are maintained by a Federal agency
- The records contain information about an individual
- The records are retrieved by a personal identifier
The Army Privacy Office assigns the SORN System Identifier (also known as the SORN number).
How is the SORN System Identifier (also known as the SORN number) determined by the Army Privacy Office?
The SORN System Identifier (also known as the SORN number) typically begins with the letter "A" which stands for "Army", and the numbers following the "A" represent the primary Army Regulation governing the system of records.
A SORN is not required when one or more of the following applies:
- The information collected is not considered a record as defined by the Privacy Act
- The records are not retrieved using a personal identifier
The Secretary of the Army, or a delegated representative, may exempt Army system of records from certain requirement of the Privacy Act. The two kinds of exemptions are general and specific. For more information see Exempting a System of Records (SOR).
A Proposed Rule is an official document that announces and identifies the subsections of the Act which are being exempted. It describes the nature, effect, and reasons for the proposed exemption in greater detail than the system of records notice itself.
A routine use is an agency-approved circumstance in which a record may be shared outside of the Department of Defense (DOD) in accordance with the purpose for which the information was collected and maintained by DOD. The routine use must be included in the published notice for the system of records involved. See DOD Blanket Routine Uses.
How does the Government inform the public about the record systems that are covered by the Privacy Act?
The Government informs the public about record systems covered by the Privacy Act by publishing notices in the Federal Register. The record systems are referred to as Privacy Act systems of records and the notices provide a description of particular systems of records.
A SORN is published in the Federal Register to:
- Prevent the creation of a system of records without first giving individuals an opportunity to review and comment on the purpose and routine uses for which their Personally Identifiable Information (PII) is collected, and
- Help individuals locate systems of records that are likely to contain PII pertaining to them.
An employee of the Army may be found guilty of a misdemeanor and fined not more than $5,000 for willfully maintaining a system of records without filing a notice within the Federal Register.
Should a System of Records Notice (SORN) be published in the Federal Register before or after a system is operational?
Before. The Privacy Act of 1974 requires agencies to publish a SORN in the Federal Registerfor a 30-day comment period before the agency begins to operate the system to collect and use the information. See OMB Circular A-130, Appendix I, § 4(c).
How long is the comment period when a System of Records Notice (SORN) appears in the Federal Register?
The comment period is 30-days.
The Privacy Act Compilation, as directed by the Privacy Act of 1974 is biennially compiled and published by the Office of the Federal Register (OFR).
The Privacy Act Compilation consists of:
- Descriptions of systems of records maintained on individuals by Federal agencies and agency recordkeeping policies and practices as published in the Federal Register;
- Agency rules of procedure for individuals requesting information about their records, as codified in the Code of Federal Regulations, and
- Computer matching program notices, as issued under the Computer Matching and Privacy Protection Act of 1988, Public Law 100-503.
Editions of the Privacy Act Compilation are posted on ofr.gov, a website maintained by the OFR and the U.S. Government Publishing Office (GPO) as an e-Government service of the National Archives and Records Administration (NARA)/GPO partnership.
The e-Government Act of 2002 requires agencies to conduct a Privacy Impact Assessment. A PIA is a decision tool used to identify and mitigate privacy risks that notifies the public:
- What personally identifiable information (PII) is collected
- Why PII is being collected, and
- How PII will be collected, used, accessed, shared, safeguarded, and stored.
A PIA is required before a program or system containing personally identifiable information (PII) becomes operational. The established reasons for conducting a PIA include:
- When developing or procuring any new Department program or system that will handle or collect PII
- For budget submissions to the Office of Management and Budget (OMB) that affect PII
- With pilot tests that affect PII
- When developing program or system revisions that affect PII, and
- When issuing a new or updated rulemaking that involves the collection, use, and maintenance of PII.
The Program Manager is responsible for completing the PIA in close cooperation with the proponent Privacy Official. Once the PIA is complete, the component Privacy Official should submit the completed PIA to CIO-G6 for review.
A SORN is not a PIA. The e-Government Act of 2002 requires Army Activities to conduct a PIA before developing or procuring IT systems, or initiating projects that collect, maintain, or disseminate Personally Identifiable Information (PII) from or about members of the public.
In most cases a SORN and PIA will both be required. The PIA should be initiated at the beginning of system development and issued alongside the SORN.
If an existing collection of information with a completed PIA and SORN updates or changes its technology, even if the scope of the information collection remains the same, the PIA must be updated to analyze the new privacy impacts of the technology. The SORN covering the system must also be reviewed to ensure its continuing completeness and accuracy, but may not necessarily need to be updated.
The DOD Instruction 1000.30, “Reduction of Social Security Number (SSN) Use Within DOD” establishes the requirement for reducing unnecessary use of the SSN. The DOD is requiring all components to evaluate how the SSN is used and eliminate unnecessary use. For example, the SSN Reduction Plan implements a procedure for all new forms and IT systems, that includes review, justification, and approval for the continued collection of SSNs.
The DPCLTD combines DOD's Defense Privacy Office, which was created in 1975 to implement the Privacy Act of 1974, and the Civil Liberties Office, which was created in 2009 to implement the Implementing Recommendations of the 9/11 Commission Act of 2007. The mission of the office is "To implement the Department of Defense's Privacy and Civil Liberties programs through advice, monitoring, official reporting, and training."
What role does the Defense Privacy, Civil Liberties, and Transparency Division (DPCLTD) play in protecting civil liberties and privacy rights?
DPCLTD assumes an active role in protecting the civil liberties and privacy rights of U.S. Armed Forces service members, the DOD workforce, U.S. persons, and lawfully admitted aliens. DPCLTD advises the Department of Defense's senior leadership on issues impacting privacy and civil liberties, including the proposed development of new policies, programs and activities. In addition, DPCLTD is proactive in making available information papers and training for the DOD workforce to educate key decision makers on the privacy and civil liberties implications of DOD actions.
The system owner/manager is the individual responsible for one or more information systems supporting his/her assigned functions.