System of Records Notice (SORN)

What is a System of Records Notice (SORN)? 

A System of Records Notice (SORN) is a notice to the public that describes how a federal agency collects and maintains Personally Identifiable Information (PII). A SORN is required whenever the agency collects and stores PII, and retrieves those records through the use of a unique identifier. The Privacy Act of 1974 requires publication of SORNs in the Federal Register, which is available to the public for review. CMS SORN publications provide the public with open and clear communication about the agency’s authority to collect, use, and disclose PII, as well as how an individual can access and amend their records. SORNs are required whenever CMS establishes or modifies the collection, use, or disclosure of PII. 

Not every system is a system of records, and therefore not all systems require SORN coverage. However, a single SORN can cover multiple FISMA systems, and sometimes several SORNs can apply to just one system. CMS has discretion in determining the scope of a SORN, but must consider certain factors, including:

• The effect on CMS’s facilitation of individual rights under the Privacy Act to access records and contest any inaccurate information
• The information value of the notice
• The purposes and uses of the records
• Cost and convenience to CMS

Who completes a SORN? 

The SORN is initiated by the System/Business Owner when they become aware of a new collection of PII or a change to how their FISMA system collects PII. The System/Business Owner contacts the Privacy Office to determine if a new SORN is required or if an existing SORN can be modified to provide coverage for the change. The System/Business Owner then provides the Privacy Office with a summary of the data collection, legal authorities and details of the program, and then the Privacy Office assists the System/Business Owner in completing the finalized SORN. The completed SORN is then sent to the Department of Health and Human Services for review and publication. All completed SORNs from CMS can be found on the HHS website.  

When do I complete a new SORN?

A “new” system of records is one for which no public notice is currently published in the Federal Register. A new SORN must be published when any one of the following criteria is met:

• A program, authorized by a new or existing statute or Executive order (EO), maintains information on an individual and retrieves that information by personal identifier
• There is a new organization of records resulting in the consolidation of two or more existing systems into one new umbrella system, whenever the consolidation cannot be classified under a current SORN
• It is discovered that records about individuals are being created and used, and that this activity is not covered by a currently published SORN
• A new configuration of existing records about individuals that was not previously subject to the Privacy Act (i.e., was not a system of records) results in the creation of a system of records

When can I amend an existing SORN? 

There are two types of amendments to SORNs: a significant alteration and a nonsignificant alteration.

Significant alteration 

If a significant alteration needs to be made to a system of records, the agency must immediately amend the existing SORN for that system of records and republish it in the Federal Register for a 30-day public comment period. Significant alterations include:

• Change in the number or type of individuals on whom records are maintained
• Expansion of the types or categories of information maintained (e.g.: if an employee file is expanded to include data on education and training, this is considered an expansion of the types or categories of information maintained)
• Change in the manner in which the records are organized, indexed, or retrieved that results in a change in the nature or scope of these records (e.g.: splitting an existing system of records into two or more different system of records)
• Change in the purpose for which information in the system of records is used
• Change in equipment configuration. This means changing the hardware or software on which the system of records operates to create the potential for either more or easier access
• Change in procedures associated with the system in a manner that affects an individual's exercise of his or her rights

Non-significant alteration

For systems with nonsignificant alterations, such as a change in system owner, the only requirement is that a revised SORN be published in the Federal Register. The 30-day public comment period and 10 additional day OMB and Congress review period is not required for nonsignificant alterations. The Privacy Office can help you determine if your change is non-significant. 

How long does a SORN take? 

Depending on the complexity of the collection or change, it can take up to six months to complete a SORN, so it’s important to begin the process as soon as you’re made aware of a new collection or change. Additionally, all SORNs must appear in the Federal Register for a 30-day comment period before CMS begins to operate the system to collect and use the information. OMB and Congress require an additional 10 days to review the SORN, resulting in a total waiting period of 40 days before CMS can begin to operate the system to collect and use the information.

SORN drafting guide

If you’re creating the summary of the data collection, legal authorities, and details of the proposed change, it’s important to remember that the audience for your SORN is the general public. As a result, you should keep the following in mind: 

• Check for spelling and grammar mistakes; a SORN should be free of both 
• Expand acronyms so that the general public can see what they mean 
• Write in plain language that’s easy to understand 
• If your SORN contains technical terms, take the time to define them so that your audience can understand them 
• Cite legal references and provide a brief description of the document when applicable