According to the Privacy Act of 1974,
as amended (Privacy Act), as implemented within
the Department of Defense (DoD) by
DoD 5400.11-R, a system of records is a group of
records maintained by a DoD Component and containing an individual’s personally identifiable
information (PII), which is retrieved by information unique to that individual. There must be
actual retrieval from the system by a DoD Component by some information unique to the
individual for the Privacy Act and DoD 5400.11-R to apply.
Systems of Records Notices
Prior to the lawful operation of a system of records by a DoD Component, the Privacy Act
requires publication of a system of
records notice (SORN) in the
Federal Register. The SORN for a system of records sets out details related to a new system of
records or, for existing system of records, that the system is being altered or amended. A SORN provides an opportunity
for interested persons to comment, and also fulfills the Privacy Act notice requirements to inform
the general public of the nature of the
data a DoD Component is collecting, the purpose and authority for such collection, and the rules
a DoD Component must follow in collecting, maintaining, using, and disclosing such data.
Effective October 1, 2013, many of the TRICARE Management Activity (TMA) SORNS were transferred to the new Defense Health Agency (DHA).
However, some SORNs transferred to DHA may still have a system identifier starting with a "D" because of that SORN's previous assignment to the Office of
Secretary of Defense/Joint Staff. These transferred SORNs will soon be republished to have a system identifier starting with an "E." A list of all DHA SORNs may
be accessed here.
Establishing New (or Altering/Amending Existing) Systems of Records
- Prepare and submit a
SORN review checklist
to provide all relevant system information necessary for review and evaluation by the
DHA Privacy and Civil Liberties Office in preparation for creating a new SORN or
for amending (or deleting) the SORN for an existing system.
- Complete a system format document
to properly capture and track potential system changes and updates.
- Prepare a new or revised
which describes the system.
- Incorporate in the final SORN draft the changes and updates from the system format
document and the concepts in the narrative statement and submitted to
- Submit completed SORN drafts to the DHA Privacy and Civil Liberties Office for review and processing.
System of Record Notices and Privacy Impact Assessments
A SORN is generally required when a group of records maintained by a DoD Component contains PII and that PII is retrieved by information unique to the
individual whose PII is being retrieved. A Privacy Impact Assessments (PIA) is generally required when a DoD information technology (IT) system collects PII.
In most cases, a system that requires a SORN will also require a PIA, but there are situations where only a SORN or PIA is required. To determine whether an
IT system requires a PIA, please visit the DHA Privacy Office’s webpage on PIAs.