Enclosure (1) to COMDTINST 5260.4A
Appendix I PIA Triggers
Please consult with the Privacy Office to determine whether a PIA is required and to identify any
existing PIAs or System of Records Notices (SORNs). According to OMB Memorandum M-03-
22, the system activities listed below may require a PIA:
Conversions
When converting paper-based records to electronic systems;
Anonymous to Non-Anonymous
When functions applied to an existing information collection change anonymous information
into information in identifiable form;
Significant System Management Changes
When new uses of an existing IT system, including application of new technologies, significantly
change how information in identifiable form is managed in the system:
For example, when an agency employs new relational database technologies or web-based
processing to access multiple data stores, such additions could create a more open environment
and avenues for exposure of data that previously did not exist.
Significant Merging
When agencies adopt or alter business processes so that government databases holding
information in identifiable form are merged, centralized, matched with other databases or
otherwise significantly manipulated:
For example, when databases are merged to create one central source of information, such a link
may aggregate data in ways that create privacy concerns not previously at issue.
New Public Access
When user-authenticating technology (e.g., password, digital certificate, biometric) is newly
applied to an electronic information system accessed by members of the public;
Commercial Sources
When agencies systematically incorporate into existing information systems databases of
information in identifiable form purchased or obtained from commercial or public sources.
(Merely querying such a source on an ad hoc basis using existing technology does not trigger the
PIA requirement);
New Interagency Uses
When agencies work together on shared functions involving significant new uses or exchanges
19