PT 6 SYSTEM OF RECORDS NOTICE - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control: For systems that process information that will be maintained in a Privacy Act system of records:

• a. Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;
• b. Publish system of records notices in the Federal Register; and
• c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.

Discussion: The [PRIVACT] requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a [PRIVACT] system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108].

Related Controls: AC-3, PM-20, PT-2, PT-3, PT-5.

Control Enhancements:

• (1) SYSTEM OF RECORDS NOTICE / ROUTINE USES
  Review all routine uses published in the system of records notice at [ Assignment: organization-defined frequency ] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.

  Discussion: A [PRIVACT] routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT] prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT] requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice.

  Related Controls: None.

• (2) SYSTEM OF RECORDS NOTICE / EXEMPTION RULES
  Review all Privacy Act exemptions claimed for the system of records at [ Assignment: organization-defined frequency ] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice.

  Discussion: The [PRIVACT] includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. In certain circumstances, these provisions allow agencies to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT]. At a minimum, organizations’ [PRIVACT] exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT] from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate.

  Related Controls: None.

References: [PRIVACT], [OMB A-108].