According to the Privacy Act of 1974,
as amended (Privacy Act), as implemented within
the Department of Defense (DoD) by
DoD 5400.11-R, a system of records is a group of
records maintained by a DoD Component and containing an individual’s personally identifiable
information (PII), which is retrieved by information unique to that individual. There must be
actual retrieval from the system by a DoD Component by some information unique to the
individual for the Privacy Act and DoD 5400.11-R to apply.
Systems of Records Notices
Prior to the lawful operation of a system of records by a DoD Component, the Privacy Act
requires publication of a system of
records notice (SORN) in the
Federal Register. The SORN for a system of records sets out details related to a new system of
records, or if already existing, that a current system is being altered or amended. A SORN provides an opportunity
for interested persons to comment, and also fulfills the Privacy Act notice requirements to inform
the general public of the nature of the
data a DoD Component is collecting, the purpose and authority for such collection, and the rules
a DoD Component must follow in collecting, maintaining, using, and disclosing such data.
A list of all Health Affairs/TRICARE Management Activity (TMA) SORNs can be accessed here.
Establishing New (or Altering/Amending Existing) Systems of Records
- Prepare and submit a
SORN review checklist
to provide all relevant system information necessary for review and evaluation by the
TMA Privacy and Civil Liberties Office in preparation for creating a new SORN or
for amending (or deleting) the SORN for an existing system.
- Complete a system format document
The Office of the Secretary of Defense and Joint Staff (OSD/JS) Privacy Office)
to properly capture and track potential system changes and updates.
- Prepare a new or revised
that contains: system identifier and name; responsible official; purpose of establishing the
system; authority for the maintenance of the system; probable or potential effects on the
privacy of individuals; information on whether the system is in part or whole maintained by
contractor; steps taken to minimize risk or unauthorized access; routine use compatibility; Office of Management and Budget
information collection requirements; and supporting documentation that explain the type of system being created or altered.
- Incorporate in the final SORN draft the changes and updates from the system format
document and the concepts in the narrative statement and submitted to
- Submit completed SORN drafts to the TMA Privacy and Civil Liberties Office for review and processing.