edit Section 101. Government-Wide Chief Privacy Officer (CPO)

Establishes a Chief Privacy Officer within the Office of Management and Budget, a senior official who will manage federal government privacy policy. The OMB CPO may exempt certain agencies or parts of agencies from parts of the Act based on the nature and extent of systems of records within the agency, the personnel data processing and practices, and other relevant matters. The OMB CPO may recommend that components of agencies have their own CPO. The OMB CPO will coordinate with the Civil Liberties Board and will issue guidance to agencies in implementing the Act within 9 months and will update guidance on the Privacy Act and E-Government Act every seven years. The OMB CPO will also report to Congress one and two years after implementation of this Act, and every five years thereafter.

--*Ken Mortensen* 17:51, 30 May 2009 (UTC) I changed the language back to have the follow-on review of the E-Gov Act guidance and regs due initially two years after. By having the Privacy Act due 1 year after and the E-Gov Act due two years after you can stagger the review process to ensure a continuous process for the updating of the guidance and regs. This will be much more efficient then requiring nothing in the intervening year.

-- We originally had them together because we were concerned about syncing all overlap of the two sets of guidance. I assume that you think that it won't be a problem because it would just be made clear in e-gov guidance the next year.

• *Ken Mortensen* 16:20, 4 June 2009 (UTC) Yes, I think that if new guidance is coming out yearly, that syncing it will be possible and happen. It has just been my experience that you need to have the ability to let folks focus on the work of the review and drafting of the update and I believe that spreading the work over the two substantive area will mean better and more thorough reviews and guidance on the substantive issues.

--*Ken Mortensen* 17:58, 30 May 2009 (UTC) I changed the language in (d)(4) back and updated it slightly. The idea of this language was to require a the CPO to produce a report each of the first two years following his appointment and every two years thereafter. The language clarifies that.

--*Ken Mortensen* 00:37, 31 May 2009 (UTC) I'm thinking that 101(e)really belongs in section 102.

edit Section 102. CPOs at all Major Agencies

The Act also creates Chief Privacy Officers at all Executive branch Departments and major agencies, designated by the head of the department, the OMB CPO, or the Privacy and Civil Liberties Oversight Board.

--*Ken Mortensen* 20:22, 1 June 2009 (UTC)Changes made to define more clearly the specific agencies at which CPO should be in place as well as to align better the language proposed with the existing language in 42 USC 2000ee-1. In addition, added requirements from section 522 of the Consolidated Appropriation Act of 2005 (Pub. L. 108-447, 118 Stat. 3268) to specific general policy making and compliance operations to be assigned to the agency CPO. Further amendments are necessary in the other parts of section 2000ee-1, including changing the reporting requirement to annual from quarterly.

The previous edits eliminated one of the principal recommendations of the 9/11 Commission -- the creation of a privacy and civil liberties officer to serve as the principal advisor on those issues in the context of counterterrorism at agencies and departments that exercise national security authority. The 9/11 Commission believed strongly that these positions were essential. The statutory language creating privacy officers for every agency should be a stand-alone provision.

edit Section 103. Creation of CPO Council headed by the Government-Wide CPO

Establishes a Chief Privacy Officers Council, with membership of the OMB CPO, who will act as chairperson, the OMB E-Government Administrator will act as co-chairperson, the CPO of each agency in [section 1062 of 42 USC 2000ee-1], the executive director of the Privacy and Civil Liberties Oversight Board, and any other officer or employee of the United States as designated by the Council chairperson. The vice chairperson of the Council shall be chosen from among the Council members and will server as a representative on the Chief Information Officer Council.

The Council will serve as an interagency forum to establish best practices for agency privacy policy by sharing experiences and innovative approaches to information and security best practices, common penetration testing regimes, and incident response mitigation. The Council will also promote the development and use of common performance measures for agency information security, develop certification and accreditation processes and privacy audit processes by establishing more effective and efficient methods and best practices; and submit proposed enhancements to the Office of Management and Budget.