Skip to main content
Animal and Plant Health Inspection Service
U.S. Department of Agriculture
USDA FAQ's and resources about coronavirus (COVID-19).  LEARN MORE

Privacy Threshold Analysis, Privacy Impact Assessments and System of Records Notices

Last Modified: Nov 14, 2022
Print
graphic depicting the security of personal information

What is a Privacy Threshold Analysis?

A Privacy Threshold Analysis (PTA) is a questionnaire used to determine if an information technology system contains Personally Identifiable Information (PII), whether a Privacy Impact Assessment (PIA) is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the system.

A PTA should be completed when proposing a new information technology system that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed.

The purpose of a PTA is to:

  1. Identify programs and systems that have privacy implications;
  2. Demonstrate the inclusion of privacy considerations during the review of a program or system;
  3. Provide a record of the program or system and its privacy requirements at the Department’s Privacy Office;
  4. Demonstrate compliance with privacy laws and regulations.


What is a Privacy Impact Assessment?

Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies. A PIA is an analysis of how information is collected, maintained, stored, and disseminated. In addition, its purpose is to ensure compliance with applicable legal, regulatory, and policy requirements for privacy; determine and examine the privacy risks and effects; and evaluate the protections and processes for handling information to mitigate those privacy risks. The PIA uses the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy.

PIAs must be made publicly available, unless the publication would raise security concerns, reveal classified information (i.e., national security), or reveal sensitive information (e.g., potentially damaging to a national interest, law enforcement effort, or competitive business interest).

A PIA will notify the public on:

  1. What Personally Identifiable Information (PII) is being collected;
  2. Why the PII is being collected; and
  3. How the PII will be collected, used, accessed, shared, safeguarded and stored.

A PIA must be conducted before:

  1. Developing or procuring any new technologies or systems that handle or collect PII;
  2. Creating a new program, system, technology, or information collection that may have privacy implications;
  3. Updating a system that results in new privacy risks;
  4. Issuing a new or updated rulemaking that involves the collection of PII.

Pursuant to OMB Memorandum M-03-22, PIAs must be conducted and updated, annually, to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form, in addition to where a system change creates new privacy risks, such as:

  • Conversions - when converting paper-based records to electronic systems;
  • Anonymous to Non-Anonymous - when functions applied to an existing information collection change anonymous information into information in identifiable form;
  • Significant System Management Changes - when new uses of an existing IT system, including application of new technologies, significantly change how information in identifiable form is managed in the system;
  • Significant Merging - when agencies adopt or alter business processes so that government databases holding information in identifiable form are merged, centralized, matched with other databases or otherwise significantly manipulated;
  • New Public Access - when user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system accessed by members of the public;
  • Commercial Sources - when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources. (Merely querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement);
  • New Interagency Uses - when agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form, such as the cross-cutting E-Government initiatives; in such cases, the lead agency should prepare the PIA;
  • Internal Flow or Collection - when alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of information in identifiable form; or
  • Alteration in Character of Data - when new information in identifiable form added to a collection raises the risks to personal privacy (for example, the addition of health or financial information).

Approved APHIS PIAs can be found below:

What is a System of Records Notice?

A System of Records Notice (SORN) is a formal notice to the public published in the Federal Register that provides a description of a particular system of records.

SORNs have the following purposes:

  • To identify the purpose of a system of records;
  • To identify which individuals are covered by information in a system of records;
  • To identify the categories of records that are maintained about the individuals;
  • To identify how the information is shared by the agency (routine uses);
  • To inform the public of the existence of records;
  • To provide notice to the public of their rights and procedures under the Privacy Act for accessing and correcting information maintained by the agency on an individual.

The following SORNs have been published in the Federal Register by APHIS:

APHIS-1: Investigative and Enforcement Records Regarding Regulatory Activities

View PDF here

Investigative and Enforcement Services investigates alleged violations of Federal laws and regulations related to the mission of the Agency. The Investigation Tracking and Enforcement Management Systems (ITEMS) is used in the management of the investigations from discovery through final stipulation.

APHIS-2: Veterinary Services - Records of Accredited Veterinarians

View PDF here

Veterinarians are accredited by APHIS to perform certain services to control and prevent the spread of animal diseases within the United States and internationally. The system contains records related to the accreditation status of veterinarians.

APHIS-5: National Animal Health Laboratory Network

View PDF here

The purpose of the National Animal Health Laboratory Network (NAHLN) is to coordinate and network USDA’s National Veterinary Services Laboratories with the capacity, facilities, professional expertise, and support of State and university laboratories. The network provides an extensive infrastructure of facilities, equipment, and personnel that are geographically accessible in the event of an animal health emergency.

APHIS 8: Animal Welfare Act and Horse Protection Act

View PDF here

The Animal Care Information Systems (ACIS) is used by the Animal Care organization to maintain a record of activities conducted by regulated entities and the agency pursuant to the Animal Welfare Act, the Horse Protection Act, and the regulations issued therein.

APHIS-9: Wildlife Services Management Information System

View PDF here

The Wildlife Services Management Information System has been implemented as a system of records for documentation and tracking of business conducted by Wildlife Services in its operational program in cooperative relationships with government, business/industry, and private individuals.

APHIS-10: APHIS Comprehensive Electronic Permitting System

View PDF here

The APHIS Comprehensive Electronic Permitting System (ePermits) is used to support the permitting processes for the Plant Protection and Quarantine, Veterinary Services, and Biotechnology Regulatory Services programs within APHIS.

APHIS-11: Emergency Management Response System

View PDF here

APHIS-11 Recinded

The Emergency Management Response System (EMRS) is used to maintain records of activities conducted by the agency pursuant to its mission and responsibilities authorized by the Animal Health Protection Act. APHIS’s Veterinary Services program uses the EMRS to help manage and investigate incidents of foreign animal diseases in the United States.

APHIS-13: Phytosanitary Certificate Issuance and Tracking System

View PDF here

The Phytosanitary Certificate Issuance and Tracking System (PCIT) facilitates the creation and processing of plant export applications with the intent of generating an export certificate.

APHIS-15: Animal Health Surveillance and Monitoring System

View PDF here

APHIS’s Animal Health Surveillance and Monitoring System (AHSM) is used to maintain records of activities conducted by the agency pursuant to its mission and responsibilities authorized by the Animal Health Protection Act, Bovine Johne’s Disease Control Program, and the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. APHIS’s Veterinary Services program will use the AHSM to collect, manage, and evaluate animal health data for disease control and surveillance programs.

APHIS-16: Animal Disease Traceability Information System

View PDF here

The Animal Disease Traceability Information System (ADTIS) maintains records of activities conducted pursuant to APHIS’ mission and responsibilities authorized by the Animal Health Protection Act. The ADTIS is an information management system that APHIS utilizes to maintain records of official identification devices and other information associated with official identification numbers of animals.

APHIS-18: Veterinary Services User Fee System

View PDF here

The User Fee System (UFS) is used to maintain a record of activities conducted by the agency pursuant to its responsibilities under the Debt Collection Act of 1982, the Debt Collection Improvement Act of 1996, the Food, Agriculture, Conservation and Trade Act of 1990, and the Animal Health Protection Act.

APHIS-19: National Veterinary Services Laboratories' Laboratory Information Management System (USDA/APHIS-19)

View PDF here

NVSL-LIMS is used to collect, track, and store test results on animal diagnostic samples received at NVSL pursuant to its mission and responsibilities authorized by the Animal Health Protection Act. The system will also allow for NVSL to provide quality management and complaint resolution for those test results that may contain errors or do not satisfy the customer. (Note that references to the system may appear as LIMS, Veterinary Services (VS) LIMS, or NVSL-LIMS.) 86 FR 67675

APHIS-20: Agricultural Quarantine Activity System

View PDF here

The Agricultural Quarantine Activity System (AQAS) records agricultural quarantine activities conducted by U.S. Customs and Border Protection (CBP) and APHIS employees at the U.S. ports of entry. This system also records agricultural quarantine activities conducted inside the United States that are related to trade. This system collects agricultural risk data and records activities conducted by APHIS within the U.S. borders pertaining to detecting the unlawful entry and distribution of prohibited and/or noncompliant products that may harbor exotic plant and animal pests, diseases, or invasive species.

APHIS-23: USDA APHIS 23 Integrated Plant Health Information System (IPHIS)

View PDF here

IPHIS is an information management system that APHIS uses to access, enter, and view data on plant health events that occur nationwide. IPHIS provides survey data, compliance agreements and inspection records to APHIS plant health personnel as well as cooperators outside the agency.
86 FR 27553

APHIS-24: PPQ’S Lacey Act Declaration Information Systems

View PDF here

The APHIS Lacey Act Declaration Information Systems (LADIS) is an online tool which enables the users (importers) to securely generate and file the declaration form, and save it for their records electronically via the internet for future use. LADIS also enables filers to save commonly used declaration data in templates for quick and easy future submissions.

OCIO-3: FOIA and PA Request and Administrative Appeal Files

View PDF here

This system allows only authorized USDA FOIA and PA officials to effectively monitor and track access requests and administrative appeals under the FOIA and PA; to process access requests under the FOIA and PA; to amend requests under the PA; to manage fees and calculations under the FOIA; and to satisfy USDA's reporting obligations under the FOIA and PA.

*Additional Government wide SORNs can be found in the Federal Register. As an informational reference, Government wide SORNs can also be found at the Federal Privacy Council Website: https://www.fpc.gov/resources/SORNs/.


 

Complementary Content
${loading}