


110 HR 516 IH: Federal Agency Data Privacy Protection

U.S. House of Representatives
2007-01-17
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		110th CONGRESS
		1st Session
		H. R. 516
		IN THE HOUSE OF REPRESENTATIVES
		
			January 17, 2007
			Mrs. Jo Ann Davis of
			 Virginia introduced the following bill; which was referred to the
			 Committee on Oversight and Government
			 Reform
		
		A BILL
		To increase the security of sensitive data maintained by
		  the Federal Government.
	
	
		1.Short titleThis Act may be cited as the
			 Federal Agency Data Privacy Protection
			 Act.
		2.Definition of
			 sensitive dataIn this
			 Act:
			(1)Sensitive
			 dataThe term sensitive data includes the
			 following:
				(A)Social security
			 numbers.
				(B)Financial
			 records.
				(C)Previous or
			 current health records, including hospital or treatment records of any kind,
			 including drug and alcohol rehabilitation records.
				(D)Criminal
			 records.
				(E)Licenses.
				(F)License denials,
			 suspensions, or revocations.
				(G)Tax
			 returns.
				(H)Information that
			 has been specifically authorized under criteria established by an Executive
			 order or an Act of Congress to be kept classified in the interest of national
			 defense or foreign policy.
				(I)Personally
			 identifiable information.
				(2)Personally
			 identifiable informationThe term personally identifiable
			 information means any information, in any form or medium, that relates
			 to the past, present, or future physical or mental health, predisposition, or
			 condition of an individual or the provision of health care to an
			 individual.
			(3)Federal computer
			 systemThe term Federal computer system has the
			 meaning given such term in section 20(d) of the National Institute of Standards
			 and Technology Act (15 U.S.C. 278g–3(d)).
			(4)AgencyThe
			 term agency has the meaning provided in section 3502(1) of title
			 44, United States Code.
			(5)RecordThe
			 term record has the meaning provided in section 552a(a) of title
			 5, United States Code.
			3.Requirement for
			 use of encryption for sensitive data
			(a)Requirement for
			 encryption
				(1)In
			 generalAll sensitive data
			 maintained by the Federal Government, including such data maintained in Federal
			 computer systems, shall be secured by the use of the most secure encryption
			 standard recognized by the National Institute of Standards and
			 Technology.
				(2)Updating
			 required every 6 monthsAny sequence of characters (known as an
			 encryption key) used to secure an encryption standard used on Federal computer
			 systems shall be changed every 6 months, at a minimum, to provide additional
			 security.
				(3)ImplementationThe
			 requirements of this subsection shall be implemented not later than 6 months
			 after the date of the enactment of this Act.
				(b)Federal agency
			 responsibilitiesThe head of each agency shall be responsible for
			 complying with the requirements of subsection (a) within the agency. Such
			 requirement shall be considered to be a requirement of subchapter III of
			 chapter 35 of title 44, United States Code, for purposes of section
			 3544(a)(1)(B) of such title.
			4.Requirements
			 relating to access by agency personnel to sensitive data
			(a)On-site
			 accessNo employee of the Federal government may have access to
			 sensitive data on Government property unless the employee has received a
			 security clearance at the secret level or higher and has
			 completed a financial disclosure form, in accordance with applicable provisions
			 of law and regulation.
			(b)Off-site
			 access
				(1)ProhibitionSensitive
			 data maintained by an agency may not be transported or accessed from a location
			 off Government property unless a request for such transportation or access is
			 submitted and approved by the Inspector General of the agency in accordance
			 with paragraph (2).
				(2)Procedures
					(A)Deadline for
			 approval or disapprovalIn the case of any request submitted
			 under paragraph (1) to an Inspector General of an agency, the Inspector General
			 shall approve or disapprove the request within 2 business days after the date
			 of submission of the request.
					(B)Limitation to
			 10,000 recordsIf a request is approved, the Inspector General
			 shall limit the access to not more than 10,000 records at a time.
					(3)EncryptionAny technology used to store, transport, or
			 access sensitive data during for purposes of off-site access approved under
			 this subsection shall be secured by the use of the most secure encryption
			 standard recognized by the National Institute of Standards and
			 Technology.
				(c)ImplementationThe
			 requirements of this subsection shall be implemented not later than 6 months
			 after the date of the enactment of this Act.
			5.Requirements
			 relating to government contractors involving sensitive data
			(a)Applicability to
			 government contractorsIn entering into any contract that may
			 involve sensitive data in electronic or digital form on 10,000 or more United
			 States citizens, an agency shall require the contractor and employees of the
			 contractor to comply with the requirements of sections 3 and 4 of this Act in
			 the performance of the contract, in the same manner as agencies and government
			 employees comply with such requirements.
			(b)ImplementationThe
			 requirements of this subsection shall be implemented with respect to contracts
			 entered into on or after the date occurring 6 months after the date of the
			 enactment of this Act.
			
