Pt. 505, App. F
Appendix F to Part 505
—Example of a System of Records Notice
(a) Additional information and guidance on Privacy Act system of records notices are found in DA PAM 25-51. The following elements comprise a Privacy Act system of records notice for publication in the Federal Register:
(b) System Identifier: A0025-55 AHRC—DA FOIA/P Office assigns the notice number, for example, A0025-55, where “A” indicates “Army,” the next number represents the publication series number related to the subject matter, and the final letter group shows the system manager's command. In this case, it would be U.S. Army Human Resources Command.
(c) System Name: Use a short, specific, plain language title that identifies the system's general purpose (limited to 55 characters).
(d) System Location: Specify the address of the primary system and any decentralized elements, including automated data systems with a central computer facility and input or output terminals at separate locations. Use street address, 2-letter state abbreviations and 9-digit ZIP Codes. Spell out office names. Do not use office symbols.
(e) Categories of Individuals: Describe the individuals covered by the system. Use non-technical, specific categories of individuals about whom the Department of Army keeps records. Do not use categories like ”all Army personnel” unless that is truly accurate.
(f) Categories of Records in the System: Describe in clear, plain language, all categories of records in the system. List only documents actually kept in the system. Do not identify source documents that are used to collect data and then destroyed. Do not list form numbers.
(g) Authority for Maintenance of the System: Cite the specific law or Executive Order that authorizes the maintenance of the system. Cite the DOD directive/instruction or Department of the Army Regulation(s) that authorizes the Privacy Act system of records. Always include titles with the citations. Note: Executive Order 9397 authorizes using the SSN as a personal identifier. Include this authority whenever the SSN is used to retrieve records.
(h) Purpose(s): List the specific purposes for maintaining the system of records by the activity.
(i) Routine Use(s): The blanket routine uses that appear at the beginning of each Component compilation apply to all systems notice unless the individual system notice specifically states that one or more of them do not apply to the system. Blanket Routine Uses are located at the beginning of the Component listing of systems notices and are not contained in individual system of records notices. However, specific routine uses are listed in each applicable system of records notice. List the specific activity to which the record may be released, for example “To the Veterans Administration” or “To state and local health agencies”. For each routine user identified, include a statement as to the purpose or purposes for which the record is to release to that activity. Do not use general statements, such as “To other federal agencies as required” or “To any other appropriate federal agency”.
(j) Polices and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:
(k) Storage: State the medium in which DA maintains the records; for example, in file folders, card files, microfiche, computer, or a combination of those methods. Storage does not refer to the storage container.
(l) Retrievability: State how the Army retrieves the records; for example, by name, fingerprints or voiceprints.
(m) Safeguards: Identify the system safeguards; for example, storage in safes, vaults, locked cabinets or rooms, use of guards, visitor controls, personnel screening, computer systems software, and so on. Describe safeguards fully without compromising system security.
(n) Retention and Disposal. State how long AR 25-400-2 requires the activity to maintain the records. Indicate when or if the records may be transferred to a Federal Records Center and how long the record stays there. Specify when the Records Center sends the record to the National Archives or destroys it. Indicate how the records may be destroyed.
(o) System Manager(s) and Address: List the position title and duty address of the system manager. For decentralized systems, show the locations, the position, or duty title of each category of officials responsible for any segment of the system.
(p) Notification Procedures: List the title and duty address of the official authorized to tell requesters if their records are in the system. Specify the information a requester must submit; for example, full name, military status, SSN, date of birth, or proof of identity, and so on.
(q) Record Access Procedures: Explain how individuals may arrange to access their records. Include the titles or categories of officials who may assist; for example, the system manager.
(r) Contesting Records Procedures:
The standard language to use is “The Army's rules for accessing records, and for contesting contents and appealing initial agency determinations are contained in Army Regulation 25-71; 32 CFR part 505
; or may be obtained from the system manager.”
(s) Record Source Categories:
Show categories of individuals or other information sources for the system. Do not list confidential sources protected by 5 U.S.C. 552a(k)(2)
, (k)(5), or (k)(7).
(t) Exemptions Claimed for the System: Specifically list any approved exemption including the subsection in the Act. When a system has no approved exemption, write “none” under this heading.