A system of records notice (or “SORN”) is published by a Federal agency in the Federal Register upon the establishment and/or modification of a system of records describing the existence and character of the system. A SORN identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system.
Related Laws, Policies, and Resources:
The Privacy Act of 1974
The Privacy Act of 1974 sets forth a series of requirements governing Federal agency practices with respect to certain information about individuals. Among other things, it requires Federal agencies to publish a system of records notice (SORN) in the Federal Register that describes the existence and character of a system of records.
OMB Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act (December 23, 2016)
This Circular describes agency responsibilities for implementing the review, reporting, and publication requirements of the Privacy Act of 1974 and related OMB policies. Among other things, it provides guidance to Federal agencies on when to publish a SORN and how to report a system of records to the Office of Management and Budget and to Congress. The Circular requires the use of Office of the Federal Register SORN templates, which are provided in the appendices to the Circular.
OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017)
This Memorandum sets forth the policy for Federal agencies to prepare for and respond to a breach of PII. Among other things, it requires Federal agencies to add routine uses to their system of records notices to cover the disclosure of records when responding to a breach.
Privacy Act Implementation: Guidelines and Responsibilities, 40 Fed. Reg. 28,948 (July 9, 1975)
This Circular defines responsibilities tor implementing the Privacy Act of 1974 to assure that personal Information about individuals collected by Federal agencies is limited to that which is legally authorized and necessary and is maintained in a manner which precludes unwarranted intrusions upon individual privacy. Among other things, it includes guidance on the content of a SORN.