Privacy Threshold Analysis, Privacy Impact Assessments, and System of Records Notices

Last Modified: August 06, 2024
photo/graphic of a man pushing a holographic lock button

A Privacy Threshold Analysis (PTA) is a questionnaire used to determine if an information technology system contains Personally Identifiable Information (PII), whether a Privacy Impact Assessment (PIA) is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the system.

A PTA should be completed when proposing a new information technology system that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed.

The purpose of a PTA is to:

  1. Identify programs and systems that have privacy implications;
  2. Demonstrate the inclusion of privacy considerations during the review of a program or system;
  3. Provide a record of the program or system and its privacy requirements at the Department’s Privacy Office;
  4. Demonstrate compliance with privacy laws and regulations.

What is a Privacy Impact Assessment?

Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies. A PIA is an analysis of how information is collected, maintained, stored, and disseminated. In addition, its purpose is to ensure compliance with applicable legal, regulatory, and policy requirements for privacy; determine and examine the privacy risks and effects; and evaluate the protections and processes for handling information to mitigate those privacy risks. The PIA uses the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy.

PIAs must be made publicly available, unless the publication would raise security concerns, reveal classified information (i.e., national security), or reveal sensitive information (e.g., potentially damaging to a national interest, law enforcement effort, or competitive business interest).

A PIA will notify the public on:

  1. What Personally Identifiable Information (PII) is being collected;
  2. Why the PII is being collected; and
  3. How the PII will be collected, used, accessed, shared, safeguarded and stored.

A PIA must be conducted before:

  1. Developing or procuring any new technologies or systems that handle or collect PII;
  2. Creating a new program, system, technology, or information collection that may have privacy implications;
  3. Updating a system that results in new privacy risks;
  4. Issuing a new or updated rulemaking that involves the collection of PII.

Pursuant to OMB Memorandum M-03-22, PIAs must be conducted and updated, annually, to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form, in addition to where a system change creates new privacy risks, such as:

  • Conversions - when converting paper-based records to electronic systems;
  • Anonymous to Non-Anonymous - when functions applied to an existing information collection change anonymous information into information in identifiable form;
  • Significant System Management Changes - when new uses of an existing IT system, including application of new technologies, significantly change how information in identifiable form is managed in the system;
  • Significant Merging - when agencies adopt or alter business processes so that government databases holding information in identifiable form are merged, centralized, matched with other databases or otherwise significantly manipulated;
  • New Public Access - when user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system accessed by members of the public;
  • Commercial Sources - when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources. (Merely querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement);
  • New Interagency Uses - when agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form, such as the cross-cutting E-Government initiatives; in such cases, the lead agency should prepare the PIA;
  • Internal Flow or Collection - when alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of information in identifiable form; or
  • Alteration in Character of Data - when new information in identifiable form added to a collection raises the risks to personal privacy (for example, the addition of health or financial information).

Approved APHIS PIAs can be found below:

What is a System of Records Notice?

A System of Records Notice (SORN) is a formal notice to the public published in the Federal Register that provides a description of a particular system of records.

SORNs have the following purposes:

  • To identify the purpose of a system of records;
  • To identify which individuals are covered by information in a system of records;
  • To identify the categories of records that are maintained about the individuals;
  • To identify how the information is shared by the agency (routine uses);
  • To inform the public of the existence of records;
  • To provide notice to the public of their rights and procedures under the Privacy Act for accessing and correcting information maintained by the agency on an individual.

APHIS has published the following SORNs in the Federal Register:

NumberSystem TitleExemptions
APHIS-1

Investigative and Enforcement Records Regarding Regulatory Activities

  1. 66 FR 57698 (1/15/2002) 
This system has been exempted pursuant to 5 U.S.C. 552(a)(k)(2) from the requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). See 7 CFR 1.23.
APHIS-2

Veterinary Services—Records of Accredited Veterinarians

  1. 81 FR 51177 (08/03/2016; Notice)
  2. 80 FR 27142 (5/12/2015)
The portions of this system that consist of investigatory material compiled for law enforcement purposes have been exempted pursuant to 5 U.S.C. 552a(k)(2) from the provisions of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I), and (f). See 7 CFR 1.123.
APHIS-3

Veterinary Services—Animal Quarantine Regulatory Actions

  1. 66 FR 57698 (1/15/2002)
This system has been exempted pursuant to 5 U.S.C. 552(a)(k)(2) from the requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). See 7 CFR 1.23.
APHIS-4

Animal Welfare and Horse Protection Regulatory Actions

  1. 66 FR 57698 (1/15/2002)
This system has been exempted pursuant to 5 U.S.C. 552(a)(k)(2) from the requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). See 7 CFR 1.23.
APHIS-5

National Animal Health Laboratory Network

  1. 75 FR 50987 (8/18/2010)
None
APHIS-6VS-Brucellosis Information System and Brucellosis Recording and Reporting SystemThis system has been exempted pursuant to 5 U.S.C. 552(a)(k)(2) from the requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). See 7 CFR 1.23.
APHIS-7 Animal Damage Control Non-Federal Personnel RecordsNone
APHIS-8

Animal Welfare Act and Horse Protection Act

  1. 84 FR 56999 (10/24/2019)
  2. 84 FR 70493 (12/23/2019)
  3. 52 FR 6031 (4/28/1987)
None
APHIS-9

Wildlife  Services Management Information System

  1. 73 FR 23404 (4/30/2008)
None
APHIS-10

APHIS Comprehensive Electronic Permitting System (ePermits)

  1. 73 FR 23406 (4/30/2008)

None

 

APHIS-11

Emergency Management Response System (EMRS)

  1. 73 FR 23409 (4/30/2008)
None
APHIS-12

Notification of Deletion of a System of Records; Automated Trust Funds Database

  1. 73 FR 2341 (4/30/2008)
 

APHIS-13

 

Phytosanitary Certificate Issuance and Tracking System

  1. 78 FR 48642 (8/9/2013)
  2. 78 FR 37775 (6/24/2013)
None
APHIS-14NO APHIS SORN 
APHIS-15

Animal Health Surveillance and Monitoring System  

  1. 76 FR 72897 (11/28/2011)
None
APHIS-16

APHIS National Animal Identification System (NAIS)   

  1. 73 FR 23412 (04/30/2008)
None
APHIS-17NO APHIS SORN 

APHIS-18

(Under revision)

Veterinary Services User Fee System

  1. 77 FR 15033 (3/14/2012)
None

APHIS-19

(Existing system being modified)   

National Veterinary Services Laboratories' Laboratory Information Management System

  1. 78 FR 60245 (10/01/2013)

None

 

APHIS-20

Agricultural Quarantine Activity System (AQAS)

  1. 84 FR 40385 (8/14/2019)
None
APHIS-21

Smuggling Interdiction and Trade Compliance (SITC) National Information Communication Activity System (SNICAS)

  1. 87 FR 41098 (7/11/2022)
The Agency has exempted this system from subsections (c)(3); (d); (e)(1); (e)(4)(G), (H), and (I); and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2). The exemptions will be applied only to the extent that the information in the system is subject to exemption pursuant to 5 U.S.C. 552a(k)(2).
APHIS-23

USDA/APHIS-23, Integrated Plant Health Information System (IPHIS)

  1. 86 FR 27553 (6/21/2021)
None
APHIS-24

Lacey Act Declaration Information System (LADIS)

  1. 85 FR 8539 (2/14/2020)
None

*Additional Government wide SORNs can be found in the Federal Register. As an informational reference, Government wide SORNs can also be found at the Federal Privacy Council Website.