Guidelines for Establishing a New Privacy Act System of Records Notice

By DON CIO Privacy Team - Published, September 24, 2010

All Privacy Act system of records notice (SORN) actions are transmitted electronically to the Chief of Naval Operations, Department of Defense and the Federal Register, because this method is both time and cost effective. Since DoD uses special software to transmit the text to the Federal Register, please do not indent, underline, bold, double-space or center the text.

All new systems require a "Narrative Statement on a New System of Records Notice."

Please prepare your text and the narrative statement using Microsoft Word and submit it electronically to the Head, DON PA/FOIA Policy Branch (DNS-36) via email to privacy@navy.mil.

Prior to designing a new system, however, we highly recommend that you contact CNO (DNS-36) to discuss the matter. Phone numbers are: (202) 685-6545/DSN 325-6545 or email: privacy@navy.mil.

It takes approximately 120 days to establish a new system, which includes approval by DoD and Congress, and publication in the Federal Register.

View the Navy, DoD, DoD components and Government-wide SORNs.

The format for a PA systems notice is as follows:

System Identification: Navy PA Systems of Records Notices begin with the letter "N" and are numbered using the Standard Subject Identification Code (SSIC) number taken from the Standard Naval Distribution List (SNDL). If the SSIC number is four digits, it is proceeded by a "0," (e.g., N01070), followed by a dash and then a sequence number (e.g., N01070-3).

System Name: The system name should indicate the general nature of the system of records and, if possible, the general category of the individual to whom it pertains. It may not exceed 55 character positions, which includes punctuation and spaces. Acronyms are discouraged unless there is no room to spell them out completely.

System Location:

• For a system maintained in a single location, provide the official organizational name and complete mailing address, using the postal service's two-letter state abbreviation and nine-digit zip code. For example, Chief of Naval Operations (DNS-36), 2000 Navy Pentagon, Washington, DC 20350-2000.
• For a geographically or organizationally decentralized system, list addresses for all activities that maintain a portion of the system of records.
For an automated data system with a central computer facility and input or output terminals at geographically separate locations, list complete mailing addresses for each location.
• If multiple locations are identified, the system location may indicate that official mailing addresses are contained in the Directory of Department of the Navy Mailing Addresses.
• If any activity in the Navy is eligible to use the system, make the following statement: "Organizational elements of the Department of the Navy. Official mailing addresses are published as an appendix to the Navy's compilation of systems of records notices."
• Do not use classified addresses. If necessary, state that the addresses are classified.

Categories of Individuals Covered by the System: Identify the individuals for whom records are being collected.

Categories of Records in the System: Describe in clear, nontechnical terms the types of records maintained in the system. Limit the description to documents actually retained in the system of records. Do not describe source documents that are used only to collect data and then destroyed. Remember to include each item of information that will be identified in the "Retrievability" paragraph discussed below. For example, if you are retrieving information based on an individuals' Social Security number, include this item in this category.

Authority for Maintenance of the System: List the federal laws, executive orders, etc., that allow you to collect and maintain the information. The authorities are in numeric order beginning with the laws and followed by the Executive Orders. The basic statute we use for general collection is 5 U.S.C. 301, Departmental Regulations and if we are collecting the SSN, we cite E.O. 9397.

Purpose: List the specific purpose(s) for which the system of records is maintained, ensuring that you cite the uses for the records within the activity and the rest of the DON.

Routine Uses: At the beginning of the entry, state: "In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:"

Then, list all disclosures of the records outside the DoD/DON, including the recipient of the disclosed information and the uses the recipient will make of it. For example, "To state and local agencies in the performance of their official duties related to verification of status for determination of eligibility for Veterans Bonuses and other benefits and entitlements, including Department of Labor and state unemployment agencies for unemployment compensation for ex-service members."

Do not use general statements such as "to other Federal Agencies as required."

Finally, conclude this section with: "The 'Blanket Routine Uses' that appear at the beginning of the Navy's compilation of system of record notices also apply to this system" if they in fact apply.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records:

Storage: State the method(s) used to store the information in the system. For example: Automated and manual records, computerized database and microform.

Retrievability: Indicate how records are retrieved. For example, "Name and Social Security Number." This information should be included under "Categories of Records in the System."

Safeguards: Generally identify the methods used to protect the records from unauthorized disclosure or tampering. But, do not describe the safeguards in such detail as to compromise system security. An example is: "Computer facilities and terminals are located in restricted areas accessible only to authorized persons who are properly screened, cleared and trained. Information is password protected. Manual records and computer printouts are available only to authorized personnel having a need to know."

System Manager(s) and Address(es): Provide the organization title and a complete mailing address of the activity responsible for maintaining the system. If the record holder is different than the policy official, then list both. For example: "Policy Official: Commander, Naval Criminal Investigative Service, Washington Navy Yard, Building 111, 716 Sicard Street SE, Washington Navy Yard, DC 20388-5380.

Record Holder: Commanding Officer of the activity in question. Official mailing addresses are published as an appendix to the Navy's compilation of systems of records notices.

Notification Procedure: This describes how the individual can determine if a record in the system pertains to him/her. Standard language is as follows: "Individuals seeking to determine whether this system of records contains information about themselves should address written inquiries to [Note: list title and mailing address of naval activity holding the records]. The request should be signed and include [insert items of information listed under the Retrievability paragraph above (e.g., dates of service, SSN, etc.) and a complete mailing address."

Record Access Procedure: This describes how an individual can review the record and obtain a copy of it. Standard language is as follows: "Individuals seeking access to records about themselves contained in this system of records should address written inquiries to [Note: list title and mailing address of naval activity holding the records]. The request should be signed and include [insert items of information listed under the Retreivability paragraph above (e.g., dates of service, SSN, etc.) and a complete mailing address."

Contesting Record Procedure:The standard caption reads: "The Navy's rules for accessing records and for contesting contents and appealing initial agency determinations are published in SECNAVINST 5211.5 series and 32 CFR part 701 or may be obtained from the system manager."

Record Source Categories: This caption describes who, where or what the information is usually taken from. For example: "The individual; correspondence; educational institutions; federal, state and local court documents; civilian and military investigatory reports; general correspondence concerning the individual; official records of professional qualifications; Navy Relief and American Red Cross requests for verification of status."

Exemptions Claimed for the System:

If no exemption has been established for the system, indicate "None."

If an exemption has been established, then cite the exemption. For example: "Parts of this system may be exempt pursuant to 5 U.S.C. 552a(j)(2) if the information is compiled and maintained by a component of the agency that performs as its principle function any activity pertaining to the enforcement of criminal laws.

An exemption rule for this system has been promulgated in accordance with requirements of 5 U.S.C. 553(b) (1), (2), and (3), (c) and (e) and published 32 CFR part 701, subpart G. For additional information contact the system manager."

SAMPLE
DEPARTMENT OF DEFENSE:
DEPARTMENT OF THE NAVY
Narrative Statement on a New System of Records
Under the Privacy Act of 1974

• System identifier and name: N01752-3, Child Sexual Abuse (CSA) Case Management System.
• Responsible official: Comments on the proposed new systems notice may be directed to Karen Roksandic, Navy Personnel Command (Code 661D), 5720 Integrity Drive, Millington, TN 38055-6610; (901) 874-4361.
• Purpose of establishing the system: To maintain copies of all reported Child Sexual Abuse (CSA) cases and maintain a computerized database of alleged CSA offenders for use in tracking the individual, collecting statistics, conducting research studies, complying with Child Protective Service requirements at state and local levels, and assisting in the development of CSA program policy issues.
• Authority for maintenance of the system: 5 U.S.C. 301, Departmental Regulations and E.O. 9397 (SSN) and OPNAVINST 1752.2A.
• Probable or potential effects on the privacy of individuals: None.
• Is the system, in whole or in part, being maintained by a contractor: No.
• Steps taken to minimize risk of unauthorized access: Because these files are highly sensitive, special measures have been taken to ensure they are protected from unauthorized disclosure. While records may be maintained in various kinds of filing equipment, specific emphasis is given to ensuring that the equipment areas are monitored or have controlled access. Information maintained on the computer is password protected. Computer terminals are located in supervised areas with an access controlled system. A risk assessment has been performed and will be made available upon request.
• Routine use compatibility: The "Blanket Routine Uses" set forth at the beginning of the Department of the Navy's compilation of record system notices apply to this system of records and are compatible with the purpose for which the record system was created.


To Federal, state or local government agencies when it is deemed appropriate to utilize civilian resources in the counseling and treatment of individuals or families involved in abuse or neglect or when it is deemed appropriate or necessary to refer a case to civilian authorities for civil or criminal law enforcement.
To officials and employees of Federal, state and local governments and agencies when required by law and/or regulation in furtherance of local communicable disease control, family abuse prevention programs, preventive medicine and safety programs, and other public health and welfare programs. To officials and employees of local and state governments and agencies in the performance of their official duties relating to professional certification, licensing and accreditation of health case providers.
To law enforcement officials to protect the life and welfare of third parties. This release will be limited to necessary information. Consultation with the hospital or regional judge advocate is advised.
• OMB information collection requirements: None.
• Supporting documentation: There are no changes to the existing Department of the Navy procedural or exemption rules for this proposed system.

Enclosure
1. Advance copy of proposed systems notice for publication in the Federal Register

TAGS: FOIA, IA, IDManagement, Privacy