edit Section 301. Best Practices for PIAs

Instructs the OMB Chief Privacy Officer to develop best practices for agencies to follow in conducting privacy impact assessments.

edit Section 302. Privacy Impact Assessment of Federal Government Employee Systems

Requires that privacy impact assessments be carried out on systems with only federal government employee information.

edit Section 303. Privacy Impact Assessment of Government Use of Commercial Information Services Containing Personal Information.

Requires a Privacy Impact Assessment be conducted when an agency initiates the systematic use of personally identifiable information from commercial data source for a fee. Defines personally identifiable information as information or a compilation of information, in digital or electronic form comprising information are in identifiable form.

QUESTION: The Privacy Act constrains only government action related to a "system of records," which is currently defined to encompass only "a group of any records under the control of the agency . . . ." This definition leaves government use of information from third-party commercial databases unprotected.

The proposed amendment to the E-Government Act would require a privacy impact assessment to be conducted whenever an agency "systematically us[ed] personally identifiable information purchased from, or subscribed to, for a fee from a commercial data source." Does this change update protections to keep pace with technological advances and changes in the data-collection market?

ISSUE: For further discussion of issues arising out of the definition of "system of records," click here.

edit Section 304. Role of OMB Chief Privacy Officer in Implementing the E-Government Act

Gives responsibility for privacy impact assessments and guidance for privacy notices to the OMB Chief Privacy Officer.