How and When to Write a Privacy Act Statement
By DON CIO Privacy Team - Published, November 10, 2010
When is a Privacy Act Statement required?
If your organization requests that an individual furnish personal information (name, date of birth, Social Security number, etc.) for a system of records, regardless of the method used to collect the information (e.g., forms, personal or telephonic interview, etc.), then a Privacy Act Statement (PAS) is required. If the information requested will not be included in a system of records, then a PAS is not required.
How do you write a PAS?
The PAS format is contained in OPNAV Form 5211/12. Specifically, the form collects the following information: authority, purpose, routine uses and disclosure.
First, identify the PA System of Records Notice (SORN) for the PA system in which you are going to store the information (see: Privacy Act System of Records Notices for a list of PA SORNS). If you need assistance, contact CNO (DNS-36); (202) 685-6545/46; DSN 325-6545/46; email@example.com/. Identify the SORN in the PAS.
Second, using information from the systems notice, fill in the following areas: "Authority and Purpose." Under "Authority," list the Federal law or Executive Order that appears in the systems notice (e.g., 5 U.S.C. 301, Departmental Regulations and Executive Order 9397 (SSN), as amended). Under "Purpose," copy the same information that is contained in the SORN under "Purpose."
Third, under "Routine Uses" address who inside/outside the organization will have access to the information (e.g., used by the security office to annotate that training has been accomplished). Do not cite "Blanket Routine Uses apply."
Fourth, under "Disclosure" cite whether the disclosure of information is "Voluntary" or "Mandatory". It is only appropriate to cite "Mandatory" when a Federal Law or Executive Order of the President specifically imposes a requirement to furnish the information and provides a penalty for failure to do so. If furnishing information is a condition for granting a benefit or privilege voluntarily sought by the individual, it is voluntary for the individual to give the information.
In view of the above, most statements read as follows: "Disclosure: Voluntary. However, failure to provide the requested information may result in [fill in text]" (e.g., not being considered for the position; not being notified in case of an emergency, etc.).
Does the PAS have to appear on the form?
Yes or on a separate form that can be retained by the individual collecting the information. If the information is collected by means other than a form completed by the individual (e.g., solicited over the telephone), a PAS should be read to the individual and if requested by the individual, a copy sent to him or her.
When forms are used to collect information about individuals for a system of records, the PAS shall appear as follows (listed in order of preference):
Does the individual have to sign the PAS?
- Immediately below the title of the form;
- Elsewhere on the front page of the form (clearly indicating it is the PAS);
- On the back of the form with a notation of its location before the title of the form; or
- On a separate form, which the individual may keep.