| wiki | search |
Section 2. Findings and Purposes
Establishes the purpose of these Amendments to create and maintain privacy leadership in federal government, ensure that identifiable personal information collected by the government is shared only when legal and necessary either within the original intent for the information collection or when there is an important public policy need. Establishes that damages are recoverable to individuals in the cases where emotional damages are clear when a willful or intentional action has occurred that violates individual rights under the Privacy Act. Establishes that notice of information collection and sharing should be given in a timely manner.
Title I — Creation of Privacy Leadership
Section 101. Government-Wide Chief Privacy Officer (CPO) —
Establishes a Chief Privacy Officer within the Office of Management and Budget, a senior official who will manage federal government privacy policy. The OMB CPO may exempt certain agencies or parts of agencies from parts of the Act based on the nature and extent of systems of records within the agency, the personnel data processing and practices, and other relevant matters. The OMB CPO may recommend that components of agencies have their own CPO. The OMB CPO will coordinate with the Civil Liberties Board and will issue guidance to agencies in implementing the Act within 9 months and will update guidance on the Privacy Act and E-Government Act every seven years. The OMB CPO will also report to Congress one and two years after implementation of this Act, and every five years thereafter.
Section 102. CPOs at all Major Agencies —
The Act also creates Chief Privacy Officers at all Executive branch Departments and major agencies, designated by the head of the department, the OMB CPO, or the Privacy and Civil Liberties Oversight Board.
Section 103. Creation of CPO Council headed by the Government-Wide CPO —
Establishes a Chief Privacy Officers Council, with membership of the OMB CPO, who will act as chairperson, the OMB E-Government Administrator will act as co-chairperson, the CPO of each agency in [section 1062 of 42 USC 2000ee-1], the executive director of the Privacy and Civil Liberties Oversight Board, and any other officer or employee of the United States as designated by the Council chairperson. The vice chairperson of the Council shall be chosen from among the Council members and will server as a representative on the Chief Information Officer Council.
The Council will serve as an interagency forum to establish best practices for agency privacy policy by sharing experiences and innovative approaches to information and security best practices, common penetration testing regimes, and incident response mitigation. The Council will also promote the development and use of common performance measures for agency information security, develop certification and accreditation processes and privacy audit processes by establishing more effective and efficient methods and best practices; and submit proposed enhancements to the Office of Management and Budget.
Title II — Amendments to the Privacy Act of 1974
Section 201. Definition of system of records —
Amends the definition of a system of records in order to clarify that all groups of records held by agencies are considered systems of records.
Section 202. Clarifying uses and disclosure of records
Establishes definitions for data disclosure, including principal purposes or secondary purposes that are explicitly authorized in legislation or by Executive Order but not under the authority of the program for which the information was originally collected. Defines internal and external disclosures of information based on whether the agency that created the record is utilizing the data.
Section 203. Amendments to conditions of disclosure
Amends conditions of disclosure of records in order to account for internal and external disclosure for principal and secondary purposes. Allows disclosure of records for records management inspections and to Congressional offices when requested on behalf of an individual.
Section 204. Amendments to improve notification
Amends Sectionion 552a(e) in line with definitional changes.
Establishes a centralized Web site with all system of records notices maintained by the OMB Chief Privacy Officer, in addition to placing system of records notices in the Federal Register. Adds principle and secondary purpose as required elements of the notices along with a list of entities the information may be shared with and the authority for said uses of the information collected.
Section 205. Liquidated Damages and Coverage of Negligent Violations
Creates actual damages with a cap of $10,000,000 for knowing violations under the Act and legal fees and administrative remediation for cases of negligence.
Title III — Amendments to Sectionion 208 of the E-Government of 2002
Section 301. Best Practices for PIAs
Instructs the OMB Chief Privacy Officer to develop best practices for agencies to follow in conducting privacy impact assessments.
Section 302. Privacy Impact Assessment of Federal Government Employee Systems
Requires that privacy impact assessments be carried out on systems with only federal government employee information.
Section 303. Privacy Impact Assessment of Government Use of Commercial Information Services Containing Personal Information.
Requires a Privacy Impact Assessment be conducted when an agency initiates the systematic use of personally identifiable information from commercial data source for a fee. Defines personally identifiable information as information or a compilation of information, in digital or electronic form comprising information are in identifiable form.
Section 304. Role of OMB Chief Privacy Officer in Implementing the E-Government Act
Gives responsibility for privacy impact assessments and guidance for privacy notices to the OMB Chief Privacy Officer.
