Skip to main content

Privacy Act Home


The Act (5 U.S.C. 552a) regulates the collection, maintenance, use, and dissemination of records about individuals that are retrieved by a personal identifier and collected, used or disseminated by agencies and departments of the executive branch, including APHIS. To ensure compliance with the Federal requirements, APHIS must foster an environment conducive to the protection of personal privacy.

What is the Privacy Act?

The Privacy Act of 1974 (5 U.S.C. 552a),as amended, is one of the key legislative acts governing the protection of records maintained on individuals. The Act establishes safeguards for the protection of records that the federal government collects and maintains on United States citizens and aliens lawfully admitted for permanent residence.


  • APHIS will disclose why information is being collected and how it will be used;
  • APHIS will use records only for the reasons given, or the agency must seek the person’s permission when another purpose for the records’ use is considered necessary of desirable;
  • APHIS will only maintain what is needed to accomplish agency business;
  • APHIS will provide adequate safeguards to protect the record from unauthorized access and disclosure;
  • APHIS will publish any new, revised, or deleted system notices in the Federal Register;
  • APHIS will ensure that information is accurate, relevant, and complete; and
  • APHIS will provide individuals with the opportunity to correct inaccuracies in their record.

The Privacy Act allows individuals to:

  • Seek access to records retrieved by their name and personal identifier;
  • Seek the amendment of any inaccurate information;
  • Provide written authorization for representatives to act on their behalf.

Please Note:

    • In some cases, the Privacy Act may not allow release of your personal records.
    • The Privacy Act applies only to U.S. citizens and aliens who are lawfully admitted for permanent residence in the United States.
    • The Privacy Act binds only Federal agencies, and covers only records in the possession and control of Federal agencies.

The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The ACT also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

A privacy threshold analysis is a questionnaire used to determine if a system contains personally identifiable information (PII), whether a Privacy Impact Analysis is required and whether a System of Records Notice (SORN) is required.

A PTA should be completed when proposing a new information technology system through the budget process that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed. A PTA will determine if a PIA is required.

A Privacy Impact Assessment (PIA) is analysis of how information in identifiable form is collected, maintained, stored, and disseminated, in addition to examining and evaluating the privacy risks and the protections and processes for handling information to mitigate those privacy risks.

PIAs must be made publicly available, unless the agency determines not to make the PIA publicly available if such publication would raise security concerns, reveal classified (i.e., national security), or reveal sensitive information (e.g., potentially damaging to a national interest, law enforcement effort, or competitive business interest).

A PIA must be conducted before:

  1. Developing or procuring IT systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public, or
  2. Initiating, consistent with the Paperwork Reduction Act, a new electronic collection of information in identifiable form for 10 or more persons (excluding agencies, instrumentalities or employees of the federal government).

Pursuant to OMB……. PIA must be updated to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form, in addition to where a system change creates new privacy risks, such as:

  • Conversions - when converting paper-based records to electronic systems;
  • Anonymous to Non-Anonymous - when functions applied to an existing information collection change anonymous information into information in identifiable form;
  • Significant System Management Changes - when new uses of an existing IT system, including application of new technologies, significantly change how information in identifiable form is managed in the system;
  • Significant Merging - when agencies adopt or alter business processes so that government databases holding information in identifiable form are merged, centralized, matched with other databases or otherwise significantly manipulated;
  • New Public Access - when user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system accessed by members of the public;
  • Commercial Sources - when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources. (Merely querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement);
  • New Interagency Uses - when agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form, such as the cross-cutting E-Government initiatives; in such cases, the lead agency should prepare the PIA;
  • Internal Flow or Collection - when alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of information in identifiable form; or
  • Alteration in Character of Data - when new information in identifiable form added to a collection raises the risks to personal privacy (for example, the addition of health or financial information).

Sample PIA template (insert link)

What is a SORN?
APHIS informs the public about its record systems covered by the Privacy Act by publishing “Notices” in the Federal Register. The record systems are referred to as Privacy Act systems of records (SOR) and the notices (SORN) provide a description of a particular system of records.

SORNs have the following purposes:

  • To identify the purpose of a system of records.
  • To identify which individuals are covered by information in a system of records.
  • To identify the categories of records that are maintained about the individuals.
  • To identify how the information is shared by the agency (routine uses).
  • To inform the public of the existence of records.
  • To provide notice to the public of their rights and procedures under the Privacy Act for accessing and correcting information maintained by the agency on an individual.

The following system of record notices (SORN’s) have been published in the Federal Register by APHIS:

The United States Department of Agriculture (USDA) published SORNS can be found here. (add link)

Privacy Act Officer, SAOP

Send Questions, Comments or Complaints on the APHIS’ Privacy program to …

How to Submit a PA Request

  • The request must be in writing, indication the request is being made under the PA. CFR Title 7, Part 1, Subpart G §1.112
  • The request must clearly state what records are being sought.
  • Subject matter, relevant names, locations (offices), and dates.
  • Be specific and concise
  • Date your request and provide a mailing address
  • Submit your request by mailing, facsimile, or e-mail
  • Mailings:
    FOIA/PA Director
    Tonya Woods
    USDA – Animal and Plant Health Inspection Service
    4700 River Road, Room 2B02E
    Riverdale, MD 20737
  • Facsimile: 301-734-5931
  • Email:
  • Times, places, and requirements for identification of individuals making requests. CFR Title 7, Part 1, Subpart G §1.113
    • If APHIS grants a requests for a personal inspection of the records an appointment will be scheduled for the requester to come review the records???
    • Proper identification is required prior to the inspection of the records (e.g. driver’s license, social security card, passport). If the requester is unable to provide identification, he or she must complete and sign a statement asserting their identity and stipulating to understanding that knowingly or willfully seeking or obtaining access to records about another individual under false pretenses is a misdemeanor punishable by fine up to $5,000.
    • Disclosure of records to individuals other than the subject of the records is prohibited.
      • Exceptions: the subject of the records can provide written consent to disclose or disclosure may be authorized by FOIA. CFR Title 7, Part 1, Subpart G §1.119
  • No identification is required if the record are required to be released under 5 U.S.C. 552
  • Timing – the Privacy Act does not specify specific statutory requirements for processing time.
    • Can be defined by agency regulation??

  • Fees – for fee schedule see 7 CFR Part 1, Appendix A
    • APHIS is permitted to recover the costs of providing information and records on a FOIA request
    • PA request fees are limited to duplication costs. See CFR Title 7, Part 1, Subpart G §1.120
      • Photocopies of pages 8 1/2” x 14” or smaller = $0.20 per page (per individual side of sheet).
      • Photocopies of pages larger than 8 1/2” x 14” = $0.50 per linear foot of the longest side of the copy.
      • For other forms of duplicated records (microform, audio-visual materials, or machine-readable documentation) = the actual direct cost of producing the records.
        A fee estimate will be provided

  • Appeals – if your request is denied, you may appeal. If your appeal is denied you can bring a civil action in federal court.
    • Amendments of factual information are permitted, not opinions.
    • Reasons to appeal: CFR Title 7, Part 1, Subpart G §1.112(b) and ©
      • denial of access
      • denial of amendment
      • process established by regulation not statute

  • Who Responds?? –
    • FOIA/PA Director
      Tonya Woods
      USDA – Animal and Plant Health Inspection Service
      4700 River Road, Room 2B02E
      Riverdale, MD 20737
  • Systems Manager?

Records Disposition Schedules  All records disposition schedules are available here. (insert pdf link)

Exemptions  A system is marked as “exempted” if the CFTC has exempted it from access, amendment and other provisions of the Privacy Act of 1974 pursuant to 5 U.S.C. § 552a(k)(2) because the system contains investigatory material compiled for law enforcement purposes.

Disclosures  The CFTC may release records as stated in an applicable SORN and also under its blanket “routine uses” of records, as authorized by the Privacy Act, 5 U.S.C. § 552a(b)(3). The CFTC’s complete list of blanket routine uses is available here. (insert link)

Complementary Content