Skip to main content

Privacy Act


The Privacy Act of 1974 (5 U.S.C. § 552a) regulates the collection, maintenance, use, and dissemination of records about individuals that are retrieved by a personal identifier. To ensure compliance with the Federal Fair Information Practice Principles requirements, APHIS will continue to provide safeguards against invasions of privacy by limiting the collection of personal data. The data collection must be relevant for the purposes for which it is collected and shall not be used for any other purpose. Individuals who are subject to a collection shall have access to that information and the right to correct any information that is inaccurate.

What is the Privacy Act?

The Privacy Act is one of the key legislative acts governing the protection of records maintained on individuals. The Privacy Act established safeguards for the protection of records that the federal government collects and maintains on United States citizens and individuals who have been lawfully admitted for permanent residence.

The Privacy Act allows individuals to:

  • Seek access to records retrieved by their name and personal identifier;
  • Seek the amendment of any inaccurate information;
  • Provide written authorization for representatives to act on their behalf.

APHIS is committed to the Fair Information Practice Principles:

  • APHIS will disclose why information is being collected and how it will be used;
  • APHIS will use records only for the reasons given, or the agency must seek the person’s permission when another purpose for the records’ use is considered necessary or desirable;
  • APHIS will only maintain what is needed to accomplish agency business;
  • APHIS will provide adequate safeguards to protect the record from unauthorized access and disclosure;
  • APHIS will publish any new, revised, or deleted system notices in the Federal Register;
  • APHIS will ensure that information is accurate, relevant, and complete; and
  • APHIS will provide individuals with the opportunity to correct inaccuracies in their record.

Please Note:

  • The Privacy Act binds only Federal agencies and covers only records in the possession and control of Federal agencies.

The Privacy Act generally provides that any eligible person has a right of access to federal agency records in which that person is a subject, except to the extent that such records (or portions thereof) are protected from disclosure by one of ten exemptions.  When a portion of a record is withheld from public release, the subsection of the Privacy Act law describing that exemption or exemptions may be found in the margin next to or directly on top of where the withheld text would have been found.  The list below describes the type of material withheld under each subsection of the Privacy Act. The exact language can be found in the Privacy Act. 

Ten Exemptions 

Exemption (d)(5):  Information compiled in reasonable anticipation of civil action or proceeding; self-executing exemption. 

Exemption (j)(1):  CIA records (information concerning polygraph records, sources and methods to gather intelligence -- including the facilities, organization, functions, names, officials titles, salaries, or numbers of personnel employed by the Agency -- and documents or information provided by foreign governments). 

Exemption (j)(2):  Principal function criminal law enforcement agency; records compiled during course of criminal law enforcement proceeding. 

Exemption (k)(1):  Classified information under an Executive Order in the interest of national defense or foreign policy. 

Exemption (k)(2):  Non-criminal law enforcement records; criminal law enforcement records compiled by non-principal function criminal law enforcement agency; coverage is less broad where individual has been denied a right, privilege, or benefit as result of information sought. 

Exemption (k)(3):  Pertain to the protection of the President of the United States or other individual pursuant to section 3056 of Title 18. 

Exemption (k)(4):  Required by statute to be maintained and used solely as statistical records. 

Exemption (k)(5):  Investigatory material used only to determine suitability, eligibility, or qualifications for federal civilian employment or access to classified information when the material comes from confidential sources. 

Exemption (k)(6):  Testing or examination material used to determine appointment or promotion of federal employees when disclosure would compromise the objectivity or fairness of the process. 

Exemption (k)(7):  Military evaluative records (similar to (k)(5)).

What are the Exceptions to Disclosure? 

The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual (“No Disclosure without Consent”), unless the disclosure is pursuant to one of twelve statutory exceptions. 

Conditions of Disclosure to Third Parties: 

The “No Disclosure Without Consent” rule states that “No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [subject to the 12 exceptions].” 5 U.S.C. § 552a(b). 

The twelve exceptions to the “No Disclosure Without Consent” rule are: 

  1. 5 U.S.C. § 552a(b)(1) ("need to know" within agency)
  2. 5 U.S.C. § 552a(b)(2) (required FOIA disclosure)
  3. 5 U.S.C. § 552a(b)(3) (routine uses)
  4. 5 U.S.C. § 552a(b)(4) (Bureau of the Census)
  5. 5 U.S.C. § 552a(b)(5) (statistical research)
  6. 5 U.S.C. § 552a(b)(6) (National Archives)
  7. 5 U.S.C. § 552a(b)(7) (law enforcement request)
  8. 5 U.S.C. § 552a(b)(8) (health or safety of an individual)
  9. 5 U.S.C. § 552a(b)(9) (Congress)
  10. 5 U.S.C. § 552a(b)(10) (General Accounting Office)
  11. 5 U.S.C. § 552a(b)(11) (court order)
  12. 5 U.S.C. § 552a(b)(12) (Debt Collection Act)

What is a Privacy Threshold Analysis?

A Privacy Threshold Analysis (PTA) is a questionnaire used to determine if an information technology system contains Personally Identifiable Information (PII), whether a Privacy Impact Assessment (PIA) is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the system.

A PTA should be completed when proposing a new information technology system that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed.

The purpose of a PTA is to:

  1. Identify programs and systems that have privacy implications;
  2. Demonstrate the inclusion of privacy considerations during the review of a program or system;
  3. Provide a record of the program or system and its privacy requirements at the Department’s Privacy Office;
  4. Demonstrate compliance with privacy laws and regulations.

What is a Privacy Impact Assessment? 

Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies.  A PIA is an analysis of how information is collected, maintained, stored, and disseminated. In addition, its purpose is to ensure compliance with applicable legal, regulatory, and policy requirements for privacy; determine and examine the privacy risks and effects; and evaluate the protections and processes for handling information to mitigate those privacy risks. The PIA uses the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy.

PIAs must be made publicly available, unless the publication would raise security concerns, reveal classified information (i.e., national security), or reveal sensitive information (e.g., potentially damaging to a national interest, law enforcement effort, or competitive business interest). 

A PIA will notify the public on:

  1. What Personally Identifiable Information (PII) is being collected;
  2. Why the PII is being collected; and
  3. How the PII will be collected, used, accessed, shared, safeguarded and stored.

A PIA must be conducted before:

  1. Developing or procuring any new technologies or systems that handle or collect PII;
  2. Creating a new program, system, technology, or information collection that may have privacy implications;
  3. Updating a system that results in new privacy risks;
  4. Issuing a new or updated rulemaking that involves the collection of PII.

Pursuant to OMB Memorandum M-03-22, PIAs must be conducted and updated, annually, to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form, in addition to where a system change creates new privacy risks, such as:

  • Conversions - when converting paper-based records to electronic systems;
  • Anonymous to Non-Anonymous - when functions applied to an existing information collection change anonymous information into information in identifiable form;
  • Significant System Management Changes - when new uses of an existing IT system, including application of new technologies, significantly change how information in identifiable form is managed in the system;
  • Significant Merging - when agencies adopt or alter business processes so that government databases holding information in identifiable form are merged, centralized, matched with other databases or otherwise significantly manipulated;
  • New Public Access - when user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system accessed by members of the public;
  • Commercial Sources - when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources. (Merely querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement);
  • New Interagency Uses - when agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form, such as the cross-cutting E-Government initiatives; in such cases, the lead agency should prepare the PIA;
  • Internal Flow or Collection - when alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of information in identifiable form; or
  • Alteration in Character of Data - when new information in identifiable form added to a collection raises the risks to personal privacy (for example, the addition of health or financial information).

Approved APHIS PIAs can be found below:

What is a System of Records?

A System of Records is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual.

What is a System of Records Notice?

A System of Records Notice (SORN) is a formal notice to the public published in the Federal Register that provides a description of a particular system of records.

SORNs have the following purposes:

  • To identify the purpose of a system of records;
  • To identify which individuals are covered by information in a system of records;
  • To identify the categories of records that are maintained about the individuals;
  • To identify how the information is shared by the agency (routine uses);
  • To inform the public of the existence of records;
  • To provide notice to the public of their rights and procedures under the Privacy Act for accessing and correcting information maintained by the agency on an individual.

The following SORNs have been published in the Federal Register by APHIS:

    • Investigative and Enforcement Services investigates alleged violations of Federal laws and regulations related to the mission of the Agency. The Investigation Tracking and Enforcement Management Systems (ITEMS) is used in the management of the investigations from discovery through final stipulation.
    • Veterinarians are accredited by APHIS to perform certain services to control and prevent the spread of animal diseases within the United States and internationally. The system contains records related to the accreditation status of veterinarians.
    • The purpose of the National Animal Health Laboratory Network (NAHLN) is to coordinate and network USDA’s National Veterinary Services Laboratories with the capacity, facilities, professional expertise, and support of State and university laboratories. The network provides an extensive infrastructure of facilities, equipment, and personnel that are geographically accessible in the event of an animal health emergency.
    • The Brucellosis Information System and Brucellosis Recording and Reporting System was created to improve the ability to retrieve existing records and to serve the livestock industry in the eradication of brucellosis.
    • The primary uses of the Animal Damage Control Non-Federal Personnel records are to (a) serve as a tool for the State supervisors in the financial and manpower management of Animal Damage Control programs, (b) form the legal basis for the disbursement of funds, and (c) form the basis for preparation of statistical reports.
    • The Animal Care Information Systems (ACIS) is used by the Animal Care organization to maintain a record of activities conducted by regulated entities and the agency pursuant to the Animal Welfare Act, the Horse Protection Act, and the regulations issued therein.
    • The Wildlife Services Management Information System has been implemented as a system of records for documentation and tracking of business conducted by Wildlife Services in its operational program in cooperative relationships with government, business/industry, and private individuals.
    • The APHIS Comprehensive Electronic Permitting System (ePermits) is used to support the permitting processes for the Plant Protection and Quarantine, Veterinary Services, and Biotechnology Regulatory Services programs within APHIS.
    • The Emergency Management Response System (EMRS) is used to maintain records of activities conducted by the agency pursuant to its mission and responsibilities authorized by the Animal Health Protection Act. APHIS’s Veterinary Services program uses the EMRS to help manage and investigate incidents of foreign animal diseases in the United States.
    • The Phytosanitary Certificate Issuance and Tracking System (PCIT) facilitates the creation and processing of plant export applications with the intent of generating an export certificate.
    • APHIS’s Animal Health Surveillance and Monitoring System (AHSM) is used to maintain records of activities conducted by the agency pursuant to its mission and responsibilities authorized by the Animal Health Protection Act, Bovine Johne’s Disease Control Program, and the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. APHIS’s Veterinary Services program will use the AHSM to collect, manage, and evaluate animal health data for disease control and surveillance programs. 
    • The Animal Disease Traceability Information System (ADTIS) maintains records of activities conducted pursuant to APHIS’ mission and responsibilities authorized by the Animal Health Protection Act. The ADTIS is an information management system that APHIS utilizes to maintain records of official identification devices and other information associated with official identification numbers of animals.
    • The User Fee System (UFS) is used to maintain a record of activities conducted by the agency pursuant to its responsibilities under the Debt Collection Act of 1982, the Debt Collection Improvement Act of 1996, the Food, Agriculture, Conservation and Trade Act of 1990, and the Animal Health Protection Act.
    • The LabWare Laboratory Information Management System (LabWare LIMS) maintains a record of activities conducted by the agency pursuant to its mission and responsibilities authorized by the Animal Health Protection Act. LabWare LIMS is used to track and save results of diagnostic testing performed by or under the auspices of APHIS’ National Veterinary Services Laboratories (NVSL).

The Privacy Act permits an individual to gain access to records or any information pertaining to that individual which is contained in a system of records, subject to certain limitations and exemptions. The request must be in writing in accordance to the instructions set forth in the system of notice for that system of records. The request must include the following information:

  • The name of the individual making the request;
  • The name of the system of records;
  • Preference of inspection, in person or by mail;
  • Be specific and concise;
  • Provide sufficient identification or complete in the presence of an agency official a signed statement asserting the requester’s identity;
  • Date and sign the request and provide contact information.

 7 CFR, Part 1, Subpart G §1.112

Times, places, and requirements for identification of individuals making requests.

Pursuant to 7 CFR, Part 1, Subpart G §1.113(e), If an individual submitting a request for access under § 1.112 wishes to be supplied with copies of the records by mail, the requester shall include with his or her request sufficient data for the agency to verify the requester's identity. If the sensitivity of the records warrant it, the agency may require the requester to submit a signed, notarized statement indicating that the requester is the individual to whom the records pertain and stipulating the requester understands that knowingly or willfully seeking or obtaining access to records about another individual under false pretenses is a misdemeanor punishable by fine up to $5,000. No identification shall be required, however, if the records are required by 5 U.S.C. 552 to be released. If the agency to which this request is directed determines to grant the requested access, it may charge fees in accordance with § 1.120 before making the necessary copies.

[40 FR 39519, Aug. 28, 1975, as amended at 62 FR 33981, June 24, 1997]  

  • Disclosure of records to individuals other than the subject of the records is prohibited unless written consent is provided by the individual to which the records pertain.

Submit your request by mail, facsimile, or e-mail.

USDA – Animal and Plant Health Inspection Service
Tonya Woods, FOIA/PA Director
4700 River Road, Unit 50
Riverdale, MD 20737
Facsimile: 301-734-5941

VIA Web Request Form: Click here to submit your Privacy Act Request Online.  If you should need assistance using the Web Request Form, you may contact the FOIA/PA Office at 301-851-4102.

How Do I Request an Administrative Appeal of a Denied Amendment or Correction Request?

Appeals – If you are dissatisfied with the APHIS’ handling of your request for amendment or correction, you may appeal to the APHIS Administrator. In the event that the APHIS Administrator denies your request, you may seek judicial review in the Federal district court.

USDA – Animal and Plant Health Inspection Service
APHIS Administrator
4700 River Road
Riverdale, MD 20737
Facsimile: 301-734-5931

The Privacy Act of 1974 (5 U.S.C. § 552a)

USDA Privacy Act Regulations

The Judicial Redress Act of 2015
The Judicial Redress Act, a public law, extends certain rights of judicial remedies established under the Privacy Act of 1974.

E-Government Act of 2002
Governs the requirement of PIAs and PTAs for Information Technology systems. 

Federal Records Act of 1950 (FRA)
The FRA provides that “the head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.” [44 U.S.C. § 3101

Freedom of Information Act (FOIA)
Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.

Paperwork Reduction Act of 1995 (PRA)
The Paperwork Reduction Act (PRA), signed into law in 1980 and reauthorized in 1995, provides the statutory framework for the Federal government’s collection, use, and dissemination of information.

OMB Privacy Guidance and Policies
Privacy Act Implementation, Guidelines and Responsibilities
OMB Circular No. A-130, Managing Information as a Strategic Resource- FISMA
OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act
OMB Memorandum M-99-18, Privacy Policies on Federal Web Sites
OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies
OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy
OMB Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services
OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information

Contact Information

Communication with the Privacy Act Office at the United States Department of Agriculture’s Animal and Plant Health Inspection Service may be sent to: 

Tonya Woods, Privacy Act Director
Animal and Plant Health Inspection Service
Freedom of Information and Privacy Act Staff
4700 River Road, Unit 50
Riverdale, MD 20737
Fax: 301-734-5941
Telephone: 301-851-4102

When a PII incident is suspected or detected call:

Agriculture Security Operations Center Incident Handling Team
1-866-905-6890 or 1-877-744-2968

To report a PII incident online:

File a report on or send an email to

For more information regarding USDA’s Personally Identifiable Information Breach Notification and Incident Response Plan and reporting procedures, can be found here.

Complementary Content