Privacy Threshold Analysis, Privacy Impact Assessments, and System of Records Notices

Last Modified: March 24, 2024

photo/graphic of a man pushing a holographic lock button

A Privacy Threshold Analysis (PTA) is a questionnaire used to determine if an information technology system contains Personally Identifiable Information (PII), whether a Privacy Impact Assessment (PIA) is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the system.

A PTA should be completed when proposing a new information technology system that will collect, store, or process identifiable information or when starting to develop or significantly modify such a system, or when a new electronic collection of identifiable information is being proposed.

The purpose of a PTA is to:

Identify programs and systems that have privacy implications;
Demonstrate the inclusion of privacy considerations during the review of a program or system;
Provide a record of the program or system and its privacy requirements at the Department’s Privacy Office;
Demonstrate compliance with privacy laws and regulations.

Privacy Impact Assessments

What is a Privacy Impact Assessment?

Privacy Impact Assessments (PIAs) are required by Section 208 of the E-Government Act for all Federal government agencies. A PIA is an analysis of how information is collected, maintained, stored, and disseminated. In addition, its purpose is to ensure compliance with applicable legal, regulatory, and policy requirements for privacy; determine and examine the privacy risks and effects; and evaluate the protections and processes for handling information to mitigate those privacy risks. The PIA uses the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy.

PIAs must be made publicly available, unless the publication would raise security concerns, reveal classified information (i.e., national security), or reveal sensitive information (e.g., potentially damaging to a national interest, law enforcement effort, or competitive business interest).

A PIA will notify the public on:

What Personally Identifiable Information (PII) is being collected;
Why the PII is being collected; and
How the PII will be collected, used, accessed, shared, safeguarded and stored.

A PIA must be conducted before:

Developing or procuring any new technologies or systems that handle or collect PII;
Creating a new program, system, technology, or information collection that may have privacy implications;
Updating a system that results in new privacy risks;
Issuing a new or updated rulemaking that involves the collection of PII.

Pursuant to OMB Memorandum M-03-22, PIAs must be conducted and updated, annually, to reflect changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form, in addition to where a system change creates new privacy risks, such as:

Conversions - when converting paper-based records to electronic systems;
Anonymous to Non-Anonymous - when functions applied to an existing information collection change anonymous information into information in identifiable form;
Significant System Management Changes - when new uses of an existing IT system, including application of new technologies, significantly change how information in identifiable form is managed in the system;
Significant Merging - when agencies adopt or alter business processes so that government databases holding information in identifiable form are merged, centralized, matched with other databases or otherwise significantly manipulated;
New Public Access - when user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system accessed by members of the public;
Commercial Sources - when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources. (Merely querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement);
New Interagency Uses - when agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form, such as the cross-cutting E-Government initiatives; in such cases, the lead agency should prepare the PIA;
Internal Flow or Collection - when alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of information in identifiable form; or
Alteration in Character of Data - when new information in identifiable form added to a collection raises the risks to personal privacy (for example, the addition of health or financial information).

Approved APHIS PIAs can be found below:

APHIS Pharmacovigilance (PV-Works) Application (April 2018)
APHIS Smuggling Interdiction and Trade Compliance (SITC) National Information, Communication and Activity System (SNICAS) (April 2018)
APHIS Agricultural Quarantine Activity System (AQAS) (May 2018)
APHIS Enterprise Infrastructure General Support System (AEI GSS) (July 2018)
APHIS Agricultural Risk Management (ARM) (August 2018)
APHIS Veterinary Services National Centers for Animal Health National Information Technology Center (VS NCAH NITC) Platform (N2P) (August 2018)
APHIS Phytosanitary Certificate Issuance and Tracking (PCIT) (August 2018)
APHIS Animal Care Information System (ACIS) (February 2019)
APHIS eFile System (eFile) (March 2019)
APHIS Comprehensive Electronic Permitting System (ePermits) (April 2019)
APHIS Marketing Regulatory Programs Amazon Web Services General Support System (MRP AWS GSS)
(September 2022)
APHIS Geographic Information System (GIS) Cloud (October 2019)
APHIS Cost Management System (ACMS) (November 2019)
APHIS Marketing Regulatory Programs Azure Cloud General Support System (MRP AC GSS) (December 2019)
APHIS Veterinary Services Laboratory Information Management System (VS LIMS) (December 2019)
APHIS Lacey Act Web Governance System (LAWGS) (January 2020)
APHIS Surveillance Collaboration Services (SCS) (January 2020)
APHIS Veterinary Services National Information Technology Center (VS NITC) System (VNS): Veterinary Services Process Streamlining (VSPS) (April 2020)
APHIS Investigation Tracking and Enforcement Management System (ITEMS) (May 2020)
APHIS Plant Protection and Quarantine (PPQ) Service Portal (June 2020)
APHIS Wildlife Services (WS) Management Information System (MIS 2000) (July 2020)
APHIS National Bio and Agro-Defense Facility (NBAF) Building Control System (BCS) (December 2020)
APHIS Emergency Management Response Services 2.0 (EMRS2) (December 2020)
APHIS Veterinary Services Integrated Surveillance Modules (VSISM) (January 2021)
APHIS National Centers for Animal Health (NCAH) on Azure Platform (NAP) (March 2020)
APHIS National Bio and Agro-Defense Facility (NBAF) Laboratory System (NLS) (April 2021)
APHIS ServiceNow System (April 2021)
APHIS Integrated Plant Health Information System (IPHIS) (May 2021)
APHIS Wildlife Services (WS) Operations and Reporting System (OARS) (July 2021)

System of Records Notices

What is a System of Records Notice?

A System of Records Notice (SORN) is a formal notice to the public published in the Federal Register that provides a description of a particular system of records.

SORNs have the following purposes:

To identify the purpose of a system of records;
To identify which individuals are covered by information in a system of records;
To identify the categories of records that are maintained about the individuals;
To identify how the information is shared by the agency (routine uses);
To inform the public of the existence of records;
To provide notice to the public of their rights and procedures under the Privacy Act for accessing and correcting information maintained by the agency on an individual.

APHIS has published the following SORNs in the Federal Register:

Number	System Title	Exemptions
APHIS-1	Investigative and Enforcement Records Regarding Regulatory Activities 66 FR 57698 (1/15/2002)	This system has been exempted pursuant to 5 U.S.C. 552(a)(k)(2) from the requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). See 7 CFR 1.23.
APHIS-2	Veterinary Services—Records of Accredited Veterinarians 81 FR 51177 (08/03/2016; Notice) 80 FR 27142 (5/12/2015)	The portions of this system that consist of investigatory material compiled for law enforcement purposes have been exempted pursuant to 5 U.S.C. 552a(k)(2) from the provisions of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I), and (f). See 7 CFR 1.123.
APHIS-3	Veterinary Services—Animal Quarantine Regulatory Actions 66 FR 57698 (1/15/2002)	This system has been exempted pursuant to 5 U.S.C. 552(a)(k)(2) from the requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). See 7 CFR 1.23.
APHIS-4	Animal Welfare and Horse Protection Regulatory Actions 66 FR 57698 (1/15/2002)	This system has been exempted pursuant to 5 U.S.C. 552(a)(k)(2) from the requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). See 7 CFR 1.23.
APHIS-5	National Animal Health Laboratory Network 75 FR 50987 (8/18/2010)	None
APHIS-6	VS-Brucellosis Information System and Brucellosis Recording and Reporting System	This system has been exempted pursuant to 5 U.S.C. 552(a)(k)(2) from the requirements of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). See 7 CFR 1.23.
APHIS-7	Animal Damage Control Non-Federal Personnel Records	None
APHIS-8	Animal Welfare Act and Horse Protection Act 84 FR 56999 (10/24/2019) 84 FR 70493 (12/23/2019) 52 FR 6031 (4/28/1987)	None
APHIS-9	Wildlife Services Management Information System 73 FR 23404 (4/30/2008)	None
APHIS-10	APHIS Comprehensive Electronic Permitting System (ePermits) 73 FR 23406 (4/30/2008)	None
APHIS-11	Emergency Management Response System (EMRS) 73 FR 23409 (4/30/2008)	None
APHIS-12	Notification of Deletion of a System of Records; Automated Trust Funds Database 73 FR 2341 (4/30/2008)
APHIS-13	Phytosanitary Certificate Issuance and Tracking System 78 FR 48642 (8/9/2013) 78 FR 37775 (6/24/2013)	None
APHIS-14	NO APHIS SORN
APHIS-15	Animal Health Surveillance and Monitoring System 76 FR 72897 (11/28/2011)	None
APHIS-16	APHIS National Animal Identification System (NAIS) 73 FR 23412 (04/30/2008)	None
APHIS-17	NO APHIS SORN
APHIS-18 (Under revision)	Veterinary Services User Fee System 77 FR 15033 (3/14/2012)	None
APHIS-19 (Existing system being modified)	National Veterinary Services Laboratories' Laboratory Information Management System 78 FR 60245 (10/01/2013)	None
APHIS-20	Agricultural Quarantine Activity System (AQAS) 84 FR 40385 (8/14/2019)	None
APHIS-21	Smuggling Interdiction and Trade Compliance (SITC) National Information Communication Activity System (SNICAS) 87 FR 41098 (7/11/2022)	The Agency has exempted this system from subsections (c)(3); (d); (e)(1); (e)(4)(G), (H), and (I); and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2). The exemptions will be applied only to the extent that the information in the system is subject to exemption pursuant to 5 U.S.C. 552a(k)(2).
APHIS-23	USDA/APHIS-23, Integrated Plant Health Information System (IPHIS) 86 FR 27553 (6/21/2021)	None
APHIS-24	Lacey Act Declaration Information System (LADIS) 85 FR 8539 (2/14/2020)	None

*Additional Government wide SORNs can be found in the Federal Register. As an informational reference, Government wide SORNs can also be found at the Federal Privacy Council Website.