The Privacy Act of 1974 (5 U.S.C. § 552a) regulates the collection, maintenance, use, and dissemination of records about individuals that are retrieved by a personal identifier. To ensure compliance with the Federal Fair Information Practice Principles requirements, APHIS will continue to provide safeguards against invasions of privacy by limiting the collection of personal data. The data collection must be relevant for the purposes for which it is collected and shall not be used for any other purpose. Individuals who are subject to a collection shall have access to that information and the right to correct any information that is inaccurate.
What is the Privacy Act?
The Privacy Act is one of the key legislative acts governing the protection of records maintained on individuals. The Privacy Act established safeguards for the protection of records that the federal government collects and maintains on United States citizens and individuals who have been lawfully admitted for permanent residence.
The Privacy Act allows individuals to:
APHIS is committed to the Fair Information Practice Principles:
The Privacy Act generally provides that any eligible person has a right of access to federal agency records in which that person is a subject, except to the extent that such records (or portions thereof) are protected from disclosure by one of ten exemptions. When a portion of a record is withheld from public release, the subsection of the Privacy Act law describing that exemption or exemptions may be found in the margin next to or directly on top of where the withheld text would have been found. The list below describes the type of material withheld under each subsection of the Privacy Act. The exact language can be found in the Privacy Act.
Exemption (d)(5): Information compiled in reasonable anticipation of civil action or proceeding; self-executing exemption.
Exemption (j)(1): CIA records (information concerning polygraph records, sources and methods to gather intelligence -- including the facilities, organization, functions, names, officials titles, salaries, or numbers of personnel employed by the Agency -- and documents or information provided by foreign governments).
Exemption (j)(2): Principal function criminal law enforcement agency; records compiled during course of criminal law enforcement proceeding.
Exemption (k)(1): Classified information under an Executive Order in the interest of national defense or foreign policy.
Exemption (k)(2): Non-criminal law enforcement records; criminal law enforcement records compiled by non-principal function criminal law enforcement agency; coverage is less broad where individual has been denied a right, privilege, or benefit as result of information sought.
Exemption (k)(3): Pertain to the protection of the President of the United States or other individual pursuant to section 3056 of Title 18.
Exemption (k)(4): Required by statute to be maintained and used solely as statistical records.
Exemption (k)(5): Investigatory material used only to determine suitability, eligibility, or qualifications for federal civilian employment or access to classified information when the material comes from confidential sources.
Exemption (k)(6): Testing or examination material used to determine appointment or promotion of federal employees when disclosure would compromise the objectivity or fairness of the process.
Exemption (k)(7): Military evaluative records (similar to (k)(5)).
What are the Exceptions to Disclosure?
The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual (“No Disclosure without Consent”), unless the disclosure is pursuant to one of twelve statutory exceptions.
Conditions of Disclosure to Third Parties:
The “No Disclosure Without Consent” rule states that “No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [subject to the 12 exceptions].” 5 U.S.C. § 552a(b).
The twelve exceptions to the “No Disclosure Without Consent” rule are:
What is a Privacy Threshold Analysis?
A Privacy Threshold Analysis (PTA) is a questionnaire used to determine if an information technology system contains Personally Identifiable Information (PII), whether a Privacy Impact Assessment (PIA) is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the system.
A PTA should be completed when proposing a new information technology system that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed.
The purpose of a PTA is to:
What is a Privacy Impact Assessment?
Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies. A PIA is an analysis of how information is collected, maintained, stored, and disseminated. In addition, its purpose is to ensure compliance with applicable legal, regulatory, and policy requirements for privacy; determine and examine the privacy risks and effects; and evaluate the protections and processes for handling information to mitigate those privacy risks. The PIA uses the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy.
PIAs must be made publicly available, unless the publication would raise security concerns, reveal classified information (i.e., national security), or reveal sensitive information (e.g., potentially damaging to a national interest, law enforcement effort, or competitive business interest).
A PIA will notify the public on:
A PIA must be conducted before:
Pursuant to OMB Memorandum M-03-22, PIAs must be conducted and updated, annually, to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form, in addition to where a system change creates new privacy risks, such as:
Approved APHIS PIAs can be found below:
What is a System of Records?
A System of Records is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual.
What is a System of Records Notice?
A System of Records Notice (SORN) is a formal notice to the public published in the Federal Register that provides a description of a particular system of records.
SORNs have the following purposes:
The following SORNs have been published in the Federal Register by APHIS:
The Privacy Act permits an individual to gain access to records or any information pertaining to that individual which is contained in a system of records, subject to certain limitations and exemptions. The request must be in writing in accordance to the instructions set forth in the system of notice for that system of records. The request must include the following information:
7 CFR, Part 1, Subpart G §1.112
Times, places, and requirements for identification of individuals making requests.
Pursuant to 7 CFR, Part 1, Subpart G §1.113(e), If an individual submitting a request for access under § 1.112 wishes to be supplied with copies of the records by mail, the requester shall include with his or her request sufficient data for the agency to verify the requester's identity. If the sensitivity of the records warrant it, the agency may require the requester to submit a signed, notarized statement indicating that the requester is the individual to whom the records pertain and stipulating the requester understands that knowingly or willfully seeking or obtaining access to records about another individual under false pretenses is a misdemeanor punishable by fine up to $5,000. No identification shall be required, however, if the records are required by 5 U.S.C. 552 to be released. If the agency to which this request is directed determines to grant the requested access, it may charge fees in accordance with § 1.120 before making the necessary copies.
[40 FR 39519, Aug. 28, 1975, as amended at 62 FR 33981, June 24, 1997]
Submit your request by mail, facsimile, or e-mail.
USDA – Animal and Plant Health Inspection Service
Tonya Woods, FOIA/PA Director
4700 River Road, Unit 50
Riverdale, MD 20737
VIA Web Request Form: Click here to submit your Privacy Act Request Online. If you should need assistance using the Web Request Form, you may contact the FOIA/PA Office at 301-851-4102.
How Do I Request an Administrative Appeal of a Denied Amendment or Correction Request?
Appeals – If you are dissatisfied with the APHIS’ handling of your request for amendment or correction, you may appeal to the APHIS Administrator. In the event that the APHIS Administrator denies your request, you may seek judicial review in the Federal district court.
USDA – Animal and Plant Health Inspection Service
4700 River Road
Riverdale, MD 20737
The Judicial Redress Act of 2015
The Judicial Redress Act, a public law, extends certain rights of judicial remedies established under the Privacy Act of 1974.
E-Government Act of 2002
Governs the requirement of PIAs and PTAs for Information Technology systems.
Federal Records Act of 1950 (FRA)
The FRA provides that “the head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.” [44 U.S.C. § 3101]
Freedom of Information Act (FOIA)
Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.
Paperwork Reduction Act of 1995 (PRA)
The Paperwork Reduction Act (PRA), signed into law in 1980 and reauthorized in 1995, provides the statutory framework for the Federal government’s collection, use, and dissemination of information.
OMB Privacy Guidance and Policies
Privacy Act Implementation, Guidelines and Responsibilities
OMB Circular No. A-130, Managing Information as a Strategic Resource- FISMA
OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act
OMB Memorandum M-99-18, Privacy Policies on Federal Web Sites
OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies
OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy
OMB Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services
OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information
Communication with the Privacy Act Office at the United States Department of Agriculture’s Animal and Plant Health Inspection Service may be sent to:
Tonya Woods, Privacy Act Director
Animal and Plant Health Inspection Service
Freedom of Information and Privacy Act Staff
4700 River Road, Unit 50
Riverdale, MD 20737
When a PII incident is suspected or detected call:
Agriculture Security Operations Center Incident Handling Team
1-866-905-6890 or 1-877-744-2968
To report a PII incident online:
File a report on cybersecurity.usda.gov or send an email to email@example.com
For more information regarding USDA’s Personally Identifiable Information Breach Notification and Incident Response Plan and reporting procedures, can be found here.