II
112th CONGRESS
1st Session
S. 1732
IN THE SENATE OF THE UNITED STATES
October 18, 2011
Mr. Akaka introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs
A BILL
To amend section 552a of title 5, United States Code (commonly referred to as the Privacy Act), the E-Government Act of 2002 (Public Law 107–347), and chapters 35 and 36 of title 44, United States Code, and other provisions of law to modernize and improve Federal privacy laws.
Short title
This Act may be cited as
the Privacy Act Modernization for the
Information Age Act of 2011
.
Amendments to the Privacy Act
Definitions
Section 552a(a) of title 5, United States Code (commonly referred to as the Privacy Act), is amended—
in paragraph (4),
by striking that is maintained by an agency, including, but not limited
to, his
and inserting , including
;
by striking paragraph (5) and inserting the following:
the term system of records means a group of any records maintained by, or otherwise under the control of any agency that is used for any authorized purpose by or on behalf of the agency;
;
by striking paragraph (7) and inserting the following:
the term routine use means, with respect to the disclosure of a record, the use of such record for a purpose which, as determined by the agency, is compatible with the purpose for which it was collected and is appropriate and reasonably necessary for the efficient and effective conduct of Government;
; and
in paragraph (8)(A)(i)—
by striking
two or more automated systems of records or a system of records with
non-Federal records
and inserting data from a system of
records
;
in subclause (I),
by inserting or State
after Federal
; and
in subclause
(II), by inserting or State
after Federal
.
Conditions of disclosure
Section 552a(b) of title 5, United States Code, is amended—
in paragraph (1),
by inserting that is consistent with, and related to, any purpose
described under subsection (e)(2)(D) of this section
before the
semicolon;
in paragraph (3),
by striking (e)(4)(D)
and inserting (e)(2)(D)(iv) or
subsection (v)
;
in paragraph (6),
by inserting or for records management inspections authorized by
statute
before the semicolon;
in paragraph (7),
by inserting , notwithstanding any requirements of a routine use as
defined under subsection (a)(7),
before to another
agency
;
in paragraph (8),
by striking upon such disclosure notification is transmitted to the last
known address of such individual
and inserting a reasonable
attempt to notify the individual is made promptly after the disclosure
;
and
by striking paragraph (9) and inserting the following:
to either House of Congress;
to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee; or
to the office of a Member of Congress when that office is requesting records about a specific individual on behalf of that individual in response to a written request for assistance by that individual;
.
Accounting of certain disclosures
Section 552a(c) of title 5, United States
Code, is amended by inserting whether in an electronic or other
format
after system of records under its control
.
Agency requirements
Section 552a of title 5, United States Code, is amended by striking subsection (e) and inserting the following:
Agency requirements
Authorized purpose
No agency shall use a record except for an authorized purpose and as maintained in a system of records under this section.
Requirements
Each agency shall—
maintain in its records only such information about an individual as is relevant and necessary to accomplish any specified purpose of the agency required to be accomplished by statute or by executive order of the President, and only retain such information as long as is necessary to fulfill that purpose or as otherwise required by law;
collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges;
inform each individual whom it asks to supply information creating a record, at the time the information is requested—
the authority (whether granted by statute or by executive order of the President) which authorizes the solicitation of the information and whether disclosure of such information is voluntary or required to receive a right, benefit, or privilege;
the principal purpose or purposes for which the information is intended to be used;
the routine uses which may be made of the information, as published under subparagraph (D)(iv);
any effects on that individual of not providing all or any part of the requested information;
the procedures and contact information for accessing or correcting such information; and
a reference to learning how such information will be used or disclosed, including the simplest access to the current system of records notice;
subject to the provisions of subparagraph (K), publish in the Federal Register, make broadly accessible to the public through a centralized website maintained by the Office of Management and Budget, and link to such centralized website from each agency’s website, upon establishment or revision a notice of the existence and character of the system of records, which notice shall include—
the name and location of the system;
the categories of individuals on whom records are maintained in the system;
the categories of records maintained in the system;
any purpose for which the information is intended to be used, including each routine use;
the legal authority for any purpose for which the information is utilized granted by statute, executive order, or other authorization;
the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records;
the title and business address of the agency official who is responsible for the system of records;
the agency procedures whereby an individual can be notified at his request if the system of records contains a record pertaining to him, how he can gain access to such a record, or contest its content; and
the sources of records in the system;
to the greatest extent practicable, ensure that all records, including records from a third party source, which are used by the agency in making any determination about an individual are of such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination, and upon request of the individual, provide documentation of the same;
prior to disseminating any record about an individual to any person other than an agency, unless the dissemination is made pursuant to subsection (b)(2) of this section, make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes;
maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to, and within the scope of, an authorized law enforcement activity;
make reasonable efforts to notify an individual as promptly as practicable after the agency receives compulsory legal process for any record on the individual, unless that notification is prohibited by law or court order;
establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of this section, including any other rules and procedures adopted pursuant to this section and the penalties for noncompliance;
establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained;
in regards to the establishment or revision of a system of records under subparagraph (D)—
at least 30 days prior to creation or modification of a system of records, publish the entire text of the proposed system of records notice in the Federal Register and on the centralized website established under subparagraph (D);
provide an opportunity for interested persons to submit written or electronic data, views, or arguments to the agency regarding the proposed system of records notice;
within 180 days after publication of a proposed system of records notice, publish on the centralized website established under subparagraph (D), a response to the comments received, along with notice of whether the system of records notice as published has taken effect; and
provide a link to the centralized website from the website of the agency,
if such agency is a recipient agency or a source agency in a matching program with a non-Federal agency, with respect to any establishment or revision of a matching program, at least 30 days prior to conducting such program, publish in the Federal Register notice of such establishment or revision;
shall—
maintain an inventory on the number and scope of the systems of records of that agency in a manner that clearly and fairly describes activities of the agency to individuals; and
ensure that the inventory—
is annually updated and published in the Federal Register, on the website established under subparagraph (D), and on the agency’s website; and
does not contain any information that would be exempted from disclosure under this section or section 522 of this title; and
make reasonable efforts to limit disclosure from a system of records to minimum information necessary to accomplish the purpose of the disclosure.
.
Agency rules
Section 552a(f) of title 5, United States Code, is amended in the last sentence—
by striking
biennially
and inserting annually
;
by striking
subsection (e)(4)
and inserting subsection
(e)(2)(D)(iv)
; and
by striking
at low cost
and inserting electronically, or at low cost
physically
.
Civil remedies
Section 552a(g)(4) is amended—
by inserting
and in which the complainant has substantially prevailed
after
the agency acted in a manner which was intentional or willful
;
and
in subparagraph
(A), by striking , but in no case shall a person entitled to recovery
receive less than the sum of $1,000
and inserting or the sum of
$1,000, whichever is greater, except that in a class action the minimum for
each individual shall be reduced as necessary to ensure that the total recovery
in any class action or series of class actions arising out of the same refusal
or failure to comply by the same agency shall not be greater than
$10,000,000
.
Criminal penalties
Section 552a(i) of title 5, United States Code, is amended—
in paragraph (1)—
by inserting
(A)
before Any officer or employee
; and
by adding at the end the following:
A person who commits the offense described under subparagraph (A) with the intent to sell, transfer, or use an agency record for commercial advantage, personal gain, or malicious harm shall be fined not more than $250,000, imprisoned for not more than 10 years, or both.
; and
in paragraph (3),
by striking misdemeanor and fined not more than $5,000
and
inserting felony and fined not more than $100,000, imprisoned for not
more than 5 years, or both
.
General exemptions
Section 552a(j) of title 5, United States Code, is
amended by striking The head of any agency
and inserting
Notwithstanding any requirements of a routine use as defined under
subsection (a)(7), the head of any agency
.
Specific exemptions
Section 552a(k) of title 5, United States Code, is
amended by striking The head of any agency
and inserting
Notwithstanding any requirements of a routine use as defined under
subsection (a)(7), the head of any agency
.
Archival records
Section 552a(l) of
title 5, United States Code, is amended in paragraphs (2) and (3) by striking
National Archives of the United States
each place that term
appears and inserting National Archives and Records
Administration
.
Government contractors
Section 552(m)(1)
of title 5, United States Code, is amended by striking for the operation
by or on behalf of the agency of a system of records to accomplish an agency
function
and inserting or other agreement, including with
another agency, for the maintenance of a system of records to accomplish an
agency function on behalf of the agency
.
Office of management and budget responsibilities
Section 552a(v) of title 5, United States Code, is amended—
in paragraph (1),
by striking and
after the semicolon;
in paragraph (2),
by striking the period and inserting ; and
; and
by adding at the end the following:
establish and update a list of recommended standard routine uses.
.
Amendments to the E-Government Act of 2002
Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note; Public Law 107–347) is amended—
in subsection (b)—
in paragraph (1)(A)—
by striking clause (i) and inserting the following:
developing, procuring, or otherwise making use of information technology that collects, maintains, or disseminates personally identifiable information; or
;
in clause (ii)(II)—
by striking
information in an identifiable form
and inserting
personally identifiable information
; and
by striking
, other than agencies, instrumentalities, or employees of the Federal
Government.
and inserting ; and
; and
by adding at the end the following:
using personally identifiable information purchased, or subscribed to for a fee, from a commercial data source.
; and
in paragraph (2)(B)—
in
clause (i), by striking information that is in an identifiable
form
and inserting personally identifiable information
;
and
in clause (ii)—
in subclause
(VI), by striking and
at the end;
in subclause
(VII), by striking the period and inserting ; and
; and
by adding at the end the following:
to what extent risks to privacy protection are created by the use of the information and what steps have been taken to mitigate such risks.
; and
by striking subsection (d) and inserting the following:
Definition
In this section, the term personally identifiable information means any information about an individual maintained by an agency, including—
any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; or
any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
.
Amendments to chapters 35 and 36 of title 44, United States Code
Office of Management and Budget
Section 3504 of title 44, United States Code, is amended—
in subsection (a)(1)(A)—
in clause (iv),
by inserting and
after the semicolon;
by striking clause (v); and
by redesignating clause (vi) as clause (v);
by striking subsection (g); and
by redesignating subsection (h) as subsection (g).
Federal information privacy policy
In general
Chapter 35 of title 44, United States Code, is amended by adding at the end the following:
Federal information privacy policy
Purposes
The purposes of this subchapter are to—
ensure the consistent application of privacy protections to personally identifiable information collected, maintained, and used by all agencies;
strengthen the responsibility and accountability of the Office of Management and Budget for overseeing privacy protection in agencies;
improve agency responses to privacy breaches to better inform and protect the public from the misuse of personally identifiable information;
strengthen the responsibility and accountability of agency officials for ensuring effective implementation of privacy protection requirements; and
ensure that agency use of commercial sources of information and information system services provides adequate information security and privacy protections.
Definitions
In general
Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter.
Additional definitions
In this subchapter—
the term Council means the Chief Privacy Officers Council established under section 3567;
the term personally identifiable information means any information about an individual maintained by an agency, including—
any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and
any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information; and
the term data broker means a person or entity that for a fee regularly engages in the practice of collecting, transmitting, or providing access to personally identifiable information concerning more than 5,000 individuals who are not the customers or employees of that person or entity (or an affiliated entity) primarily for the purposes of providing such information to non-affiliated third parties on an interstate basis.
Authority and functions of the Director
In fulfilling the responsibility to administer the functions assigned under subchapter I, the Director of the Office of Management and Budget shall comply with this subchapter with respect to the specific matters covered by this subchapter.
The Director shall oversee agency privacy protection policies and practices, including by—
developing and overseeing the implementation of policies, principles, standards, and guidelines on privacy protection;
providing direction and overseeing privacy, confidentiality, security, disclosure, and sharing of information;
overseeing agency compliance with laws relating to privacy protection, including the requirements of this subchapter, section 552a of title 5 (commonly referred to as the Privacy Act), and section 208 of the E-Government Act of 2002;
coordinating privacy protection policies and procedures with related information resources management policies and procedures, including through ensuring that privacy protection considerations are taken into account in managing the collection of information and the control of paperwork as provided under subchapter I; and
appointing a Federal Chief Privacy Officer under section 3564.
Specific responsibilities of the Federal Chief Privacy Officer
Federal Chief Privacy Officer
Definitions
In this section—
the term Senior Executive Service position has the meaning given under section 3132(a)(2) of title 5; and
the term noncareer appointee has the meaning given under section 3132(a)(7) of title 5.
Establishment
There is established the position of the Federal Chief Privacy Officer within the Office of Management and Budget. The position shall be a Senior Executive Service position. The Director shall appoint a noncareer appointee to the position. The primary responsibilities of the position shall be the responsibilities under subsection (b).
Qualifications
The individual appointed to be the Federal Chief Privacy Officer shall possess demonstrated expertise in privacy protection policy and Government information.
Responsibilities
The Federal Chief Privacy Officer shall—
carry out the responsibilities of the Director under this subchapter;
provide overall direction, consistent with the Office of Management and Budget guidance, section 552a of title 5 (commonly referred to as the Privacy Act), and section 208 of the E-Government Act of 2002, of privacy policy governing the Federal Government’s collection, use, sharing, disclosure, transfer, storage, security, and disposition of personally identifiable information;
to the extent that the Federal Chief Privacy Officer considers appropriate, establish procedures to review and approve privacy documentation before public dissemination;
serve as the principal advisor for Federal privacy policy matters to the Executive Office of the President, including the President, the Director, the National Security Council, the Homeland Security Council, and the Office of Science and Technology Policy;
coordinate with the Privacy and Civil Liberties Oversight Board established under section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004 (5 U.S.C. 601 note); and
every 2 years submit a report to Congress on the protection of privacy by the United States Government, including the status of implementation of requirements under this subchapter and other privacy related laws and policies.
Privacy breach requirements
The Director shall establish and oversee policies and procedures for agencies to follow in the event of a breach of information security involving the disclosure of personally identifiable information and for which harm to an individual could reasonably be expected to result, including—
a requirement for timely notice to be provided to those individuals whose personally identifiable information could be compromised as a result of such breach, except no notice shall be required if the breach does not create a reasonable risk of identity theft, fraud, or other unlawful conduct regarding such individual;
guidance on determining how timely notice is to be provided;
guidance regarding whether additional actions are necessary and appropriate, including data breach analysis, fraud resolution services, identity theft insurance, and credit protection or monitoring services; and
requirements for timely reporting by the agencies of such breaches to the director and the Federal information security incident center referred to in section 3546.
Agency responsibilities
In general
In addition to requirements under section 1062 of the National Security Intelligence Reform Act of 2004, and in fulfilling the responsibilities under section 3506(g), the head of each agency shall ensure compliance with laws relating to privacy protection, including the requirements of this subchapter, section 552a of title 5 (commonly referred to as the Privacy Act), and section 208 of the E-Government Act of 2002.
Chief Privacy Officers
In the case of an agency that has not designated a Chief Privacy Officer under section 522 of the Transportation, Treasury, Independent Agencies and General Government Appropriations Act, 2005 (42 U.S.C. 2000ee–2), the head of each agency shall—
designate a senior official to be the chief privacy officer of that agency; and
provide to the chief privacy officer such information as the officer considers necessary.
Responsibilities of agency chief privacy officer
Each chief privacy officer shall have primary responsibility for assuring the adequacy of privacy protections for personally identifiable information collected, used, or disclosed by the agency, including—
ensuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information, including through the conduct of privacy impact assessments as provided by section 208 of the E-Government Act of 2002;
ensuring that personal information is handled in full compliance with fair information practices under section 552a of title 5 (commonly referred to as the Privacy Act) and other applicable laws and policies;
evaluating legislative and regulatory proposals involving collection, use, and disclosure of personally identifiable information;
coordinating with the chief information officer to ensure that privacy is adequately addressed in the agency information security program, established under section 3544;
coordinating with other senior officials to ensure programs, policies, and procedures involving civil rights, civil liberties, and privacy considerations addressed in an integrated and comprehensive manner; and
reporting periodically to the head of the agency on agency privacy protection activities.
Chief Privacy Officers Council
Establishment
There is established in the executive branch a Chief Privacy Officers Council.
Membership
In general
The members of the Council shall be as follows:
The Federal Chief Privacy Officer, who shall serve as chairperson of the Council.
Chief Privacy Officers established under section 522 of division H of the Consolidated Appropriations Act, 2005 (42 U.S.C. 2000ee–2; Public Law 108–447).
The chairperson of the Privacy and Civil Liberties Oversight Board.
As designated by the chairperson of the Council, any senior agency official designated to be a chief privacy officer under section 3566.
The Administrator of the Office of Electronic Government, as an ex-officio member.
The Administrator of the Office of Information and Regulatory Affairs, as an ex-officio member.
Any other officer or employee of the United States designated by the chairperson.
Ex-officio members
An ex-officio member may not vote in Council proceedings.
Administrative support
The Administrator of the General Services shall provide administrative and other support for the Council.
Functions
The Council shall—
be an interagency forum for establishing best practices for agency privacy policy;
share, and promote the development of, best practices to assure that the use of technologies sustains, and does not erode, privacy protections relating to the use, collection, and disclosure of personal information; assure that personal information contained in systems of records are handled in full compliance with fair information practices; and evaluate legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government; and
submit proposed improvements to privacy practices to the Director.
.
Technical and conforming amendment
The table of sections for chapter 35 of title 44, United States Code, is amended by adding at the end the following:
SUBCHAPTER IV—Federal information privacy policy
Sec.
3561. Purposes.
3562. Definitions.
3563. Authority and functions of the Director.
3564. Specific responsibilities of the Chief Privacy Officer.
3565. Privacy breach requirements.
3566. Agency responsibilities.
3567. Chief Privacy Officers Council.
.
Electronic Government
Section 3602(d) of
title 44, United States Code, is amended by inserting and the Federal
Chief Privacy Officer
after Information and Regulatory
Affairs
.
Amendments to section 1062 of the National Intelligence Reform Act of 2004
Section 1062 of the National Intelligence Reform Act of 2004 (42 U.S.C. 2000ee–1) is amended—
by redesignating subsection (d) through (h) as subsections (e) through (i); and
by striking subsection (c) and inserting the following:
Authority To Investigate
In general
Each privacy officer or civil liberties officer described under subsection (a) or (b) may—
have access to all records, reports, audits, reviews, documents, papers, recommendations, and other materials available to the Department, agency, or element of the executive branch that relate to programs and operations with respect to the responsibilities of the senior official under this section;
make such investigations and reports relating to the administration of the programs and operations of the Department, agency, or element of the executive branch as are, in the senior official's judgment, necessary or desirable;
subject to the approval of the Secretary or head of the agency or element of the executive branch, require by subpoena the production, by any person other than a Federal agency, of all information, documents, reports, answers, records, accounts, papers, and other data and documentary evidence necessary to performance of the responsibilities of the senior official under this section; and
administer to or take from any person an oath, affirmation, or affidavit, whenever necessary to performance of the responsibilities of the senior official under this section.
Enforcement of subpoenas
Any subpoena issued under paragraph (1)(C) shall, in the case of contumacy or refusal to obey, be enforceable by order of any appropriate United States district court.
Effect of oaths
Any oath, affirmation, or affidavit administered or taken under paragraph (1)(D) by or before an employee of the Privacy Office designated for that purpose by the senior official appointed under subsection (a) shall have the same force and effect as if administered or taken by or before an officer having a seal of office.
Supervision and coordination
In general
Each privacy officer or civil liberties officer described under subsection (a) or (b) shall—
report to, and be under the general supervision of, the Secretary; and
coordinate activities with the Inspector General of the Department in order to avoid duplication of effort.
Coordination with the Inspector General
In general
Except as provided in subparagraph (B), the senior official appointed under subsection (a) may investigate any matter relating to possible violations or abuse concerning the administration of any program or operation of the Department, agency, or element of the executive branch relevant to the purposes under this section.
Coordination
Referral
Before initiating any investigation described under subparagraph (A), the senior official shall refer the matter and all related complaints, allegations, and information to the Inspector General of the Department, agency, or element of the executive branch.
Determinations and notifications by the Inspector General
Not later than 30 days after the receipt of a matter referred under clause (i), the Inspector General shall—
make a determination regarding whether the Inspector General intends to initiate an audit or investigation of the matter referred under clause (i); and
notify the senior official of that determination.
.
