System Of Records Notice Q1-2023

System of Record Notice (SORN) is a requirement for Federal agency under Privacy Act of 1974

A SORN is required when all of the following apply:

  • Records are maintained by a Federal agency
  • The records contain information about an individual (PII)
  • The records are retrieved by a personal identifier

A personal identifier might include an individual’s name, address, email address, telephone number, social security number, photograph, biometric information, or any other unique identifier that can be linked to an individual. The mere maintenance of information about an individual is not enough to trigger the SORN requirements of the Privacy Act, although it is enough to trigger the conduct of a privacy impact assessment (PIA)

SORNs have the following purposes:

  • To identify the purpose of a system of records.
  • To identify which individuals are covered by information in a system of records.
  • To identify the categories of records that are maintained about the individuals.
  • To identify how the information is shared by the agency (routine uses).
  • To inform the public of the existence of records.
  • To provide notice to the public of their rights and procedures under the Privacy Act for accessing and correcting information maintained by the agency on an individual.

Whenever a Federal agency maintains information about an individual in a system of records and retrieves the information by a personal identifier), it must publish a SORN in the Federal Register.

As an example, let’s assume Office Personnel Management (OPM) operates a visitor management system. The system stores information about individuals by name, email address, telephone number and date of arrival at OPM, but the system retrieves information only by date of arrival at OPM. Under these circumstances, the visitor management system is not a system of records under the Privacy Act. However, if the system retrieved information by an individual’s identifying information; it would qualify as a system of records under the Privacy Act.

In today’s IT environment, most systems are designed to retrieve records by multiple identifiers, including by personal identifier. The requirements of the Privacy Act apply, regardless of whether the records are electronic or paper.

A System of Record Notice (SORN) is generally required when a group of records maintained by a federal system contains PII and that PII is retrieved by information unique to the individual whose PII is being retrieved. The information in the SORN is accessible public and open for comments for a define period of time.

Component of SORN:
Homeland Security SORNs repository: records-notices-sorns
HHS SORNs Repository

Sample SORN: SORN is the 5th deliverable in the categorization process

error: Content is protected !!