< Back to H.R. 516 (110th Congress, 2007–2009)

Text of the Federal Agency Data Privacy Protection Act

This bill was introduced on January 17, 2007, in a previous session of Congress, but was not enacted. The text of the bill below is as of Jan 17, 2007 (Introduced).

Source: GPO

I

110th CONGRESS

1st Session

H. R. 516

IN THE HOUSE OF REPRESENTATIVES

January 17, 2007

introduced the following bill; which was referred to the Committee on Oversight and Government Reform

A BILL

To increase the security of sensitive data maintained by the Federal Government.

1.

Short title

This Act may be cited as the Federal Agency Data Privacy Protection Act.

2.

Definition of sensitive data

In this Act:

(1)

Sensitive data

The term sensitive data includes the following:

(A)

Social security numbers.

(B)

Financial records.

(C)

Previous or current health records, including hospital or treatment records of any kind, including drug and alcohol rehabilitation records.

(D)

Criminal records.

(E)

Licenses.

(F)

License denials, suspensions, or revocations.

(G)

Tax returns.

(H)

Information that has been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

(I)

Personally identifiable information.

(2)

Personally identifiable information

The term personally identifiable information means any information, in any form or medium, that relates to the past, present, or future physical or mental health, predisposition, or condition of an individual or the provision of health care to an individual.

(3)

Federal computer system

The term Federal computer system has the meaning given such term in section 20(d) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(d)).

(4)

Agency

The term agency has the meaning provided in section 3502(1) of title 44, United States Code.

(5)

Record

The term record has the meaning provided in section 552a(a) of title 5, United States Code.

3.

Requirement for use of encryption for sensitive data

(a)

Requirement for encryption

(1)

In general

All sensitive data maintained by the Federal Government, including such data maintained in Federal computer systems, shall be secured by the use of the most secure encryption standard recognized by the National Institute of Standards and Technology.

(2)

Updating required every 6 months

Any sequence of characters (known as an encryption key) used to secure an encryption standard used on Federal computer systems shall be changed every 6 months, at a minimum, to provide additional security.

(3)

Implementation

The requirements of this subsection shall be implemented not later than 6 months after the date of the enactment of this Act.

(b)

Federal agency responsibilities

The head of each agency shall be responsible for complying with the requirements of subsection (a) within the agency. Such requirement shall be considered to be a requirement of subchapter III of chapter 35 of title 44, United States Code, for purposes of section 3544(a)(1)(B) of such title.

4.

Requirements relating to access by agency personnel to sensitive data

(a)

On-site access

No employee of the Federal government may have access to sensitive data on Government property unless the employee has received a security clearance at the secret level or higher and has completed a financial disclosure form, in accordance with applicable provisions of law and regulation.

(b)

Off-site access

(1)

Prohibition

Sensitive data maintained by an agency may not be transported or accessed from a location off Government property unless a request for such transportation or access is submitted and approved by the Inspector General of the agency in accordance with paragraph (2).

(2)

Procedures

(A)

Deadline for approval or disapproval

In the case of any request submitted under paragraph (1) to an Inspector General of an agency, the Inspector General shall approve or disapprove the request within 2 business days after the date of submission of the request.

(B)

Limitation to 10,000 records

If a request is approved, the Inspector General shall limit the access to not more than 10,000 records at a time.

(3)

Encryption

Any technology used to store, transport, or access sensitive data during for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the National Institute of Standards and Technology.

(c)

Implementation

The requirements of this subsection shall be implemented not later than 6 months after the date of the enactment of this Act.

5.

Requirements relating to government contractors involving sensitive data

(a)

Applicability to government contractors

In entering into any contract that may involve sensitive data in electronic or digital form on 10,000 or more United States citizens, an agency shall require the contractor and employees of the contractor to comply with the requirements of sections 3 and 4 of this Act in the performance of the contract, in the same manner as agencies and government employees comply with such requirements.

(b)

Implementation

The requirements of this subsection shall be implemented with respect to contracts entered into on or after the date occurring 6 months after the date of the enactment of this Act.