[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[S. 1732 Introduced in Senate (IS)]

112th CONGRESS
  1st Session
                                S. 1732

To amend section 552a of title 5, United States Code (commonly referred 
 to as the Privacy Act), the E-Government Act of 2002 (Public Law 107-
347), and chapters 35 and 36 of title 44, United States Code, and other 
    provisions of law to modernize and improve Federal privacy laws.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            October 18, 2011

   Mr. Akaka introduced the following bill; which was read twice and 
referred to the Committee on Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
To amend section 552a of title 5, United States Code (commonly referred 
 to as the Privacy Act), the E-Government Act of 2002 (Public Law 107-
347), and chapters 35 and 36 of title 44, United States Code, and other 
    provisions of law to modernize and improve Federal privacy laws.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Privacy Act Modernization for the 
Information Age Act of 2011''.

SEC. 2. AMENDMENTS TO THE PRIVACY ACT.

    (a) Definitions.--Section 552a(a) of title 5, United States Code 
(commonly referred to as the Privacy Act), is amended--
            (1) in paragraph (4), by striking ``that is maintained by 
        an agency, including, but not limited to, his'' and inserting 
        ``, including'';
            (2) by striking paragraph (5) and inserting the following:
            ``(5) the term `system of records' means a group of any 
        records maintained by, or otherwise under the control of any 
        agency that is used for any authorized purpose by or on behalf 
        of the agency;'';
            (3) by striking paragraph (7) and inserting the following:
            ``(7) the term `routine use' means, with respect to the 
        disclosure of a record, the use of such record for a purpose 
        which, as determined by the agency, is compatible with the 
        purpose for which it was collected and is appropriate and 
        reasonably necessary for the efficient and effective conduct of 
        Government;''; and
            (4) in paragraph (8)(A)(i)--
                    (A) by striking ``two or more automated systems of 
                records or a system of records with non-Federal 
                records'' and inserting ``data from a system of 
                records'';
                    (B) in subclause (I), by inserting ``or State'' 
                after ``Federal''; and
                    (C) in subclause (II), by inserting ``or State'' 
                after ``Federal''.
    (b) Conditions of Disclosure.--Section 552a(b) of title 5, United 
States Code, is amended--
            (1) in paragraph (1), by inserting ``that is consistent 
        with, and related to, any purpose described under subsection 
        (e)(2)(D) of this section'' before the semicolon;
            (2) in paragraph (3), by striking ``(e)(4)(D)'' and 
        inserting ``(e)(2)(D)(iv) or subsection (v)'';
            (3) in paragraph (6), by inserting ``or for records 
        management inspections authorized by statute'' before the 
        semicolon;
            (4) in paragraph (7), by inserting ``, notwithstanding any 
        requirements of a routine use as defined under subsection 
        (a)(7),'' before ``to another agency'';
            (5) in paragraph (8), by striking ``upon such disclosure 
        notification is transmitted to the last known address of such 
        individual'' and inserting ``a reasonable attempt to notify the 
        individual is made promptly after the disclosure''; and
            (6) by striking paragraph (9) and inserting the following:
            ``(9)(A) to either House of Congress;
            ``(B) to the extent of matter within its jurisdiction, any 
        committee or subcommittee thereof, any joint committee of 
        Congress or subcommittee of any such joint committee; or
            ``(C) to the office of a Member of Congress when that 
        office is requesting records about a specific individual on 
        behalf of that individual in response to a written request for 
        assistance by that individual;''.
    (c) Accounting of Certain Disclosures.--Section 552a(c) of title 5, 
United States Code, is amended by inserting ``whether in an electronic 
or other format'' after ``system of records under its control''.
    (d) Agency Requirements.--Section 552a of title 5, United States 
Code, is amended by striking subsection (e) and inserting the 
following:
    ``(e) Agency Requirements.--
            ``(1) Authorized purpose.--No agency shall use a record 
        except for an authorized purpose and as maintained in a system 
        of records under this section.
            ``(2) Requirements.--Each agency shall--
                    ``(A) maintain in its records only such information 
                about an individual as is relevant and necessary to 
                accomplish any specified purpose of the agency required 
                to be accomplished by statute or by executive order of 
                the President, and only retain such information as long 
                as is necessary to fulfill that purpose or as otherwise 
                required by law;
                    ``(B) collect information to the greatest extent 
                practicable directly from the subject individual when 
                the information may result in adverse determinations 
                about an individual's rights, benefits, and privileges;
                    ``(C) inform each individual whom it asks to supply 
                information creating a record, at the time the 
                information is requested--
                            ``(i) the authority (whether granted by 
                        statute or by executive order of the President) 
                        which authorizes the solicitation of the 
                        information and whether disclosure of such 
                        information is voluntary or required to receive 
                        a right, benefit, or privilege;
                            ``(ii) the principal purpose or purposes 
                        for which the information is intended to be 
                        used;
                            ``(iii) the routine uses which may be made 
                        of the information, as published under 
                        subparagraph (D)(iv);
                            ``(iv) any effects on that individual of 
                        not providing all or any part of the requested 
                        information;
                            ``(v) the procedures and contact 
                        information for accessing or correcting such 
                        information; and
                            ``(vi) a reference to learning how such 
                        information will be used or disclosed, 
                        including the simplest access to the current 
                        system of records notice;
                    ``(D) subject to the provisions of subparagraph 
                (K), publish in the Federal Register, make broadly 
                accessible to the public through a centralized website 
                maintained by the Office of Management and Budget, and 
                link to such centralized website from each agency's 
                website, upon establishment or revision a notice of the 
                existence and character of the system of records, which 
                notice shall include--
                            ``(i) the name and location of the system;
                            ``(ii) the categories of individuals on 
                        whom records are maintained in the system;
                            ``(iii) the categories of records 
                        maintained in the system;
                            ``(iv) any purpose for which the 
                        information is intended to be used, including 
                        each routine use;
                            ``(v) the legal authority for any purpose 
                        for which the information is utilized granted 
                        by statute, executive order, or other 
                        authorization;
                            ``(vi) the policies and practices of the 
                        agency regarding storage, retrievability, 
                        access controls, retention, and disposal of the 
                        records;
                            ``(vii) the title and business address of 
                        the agency official who is responsible for the 
                        system of records;
                            ``(viii) the agency procedures whereby an 
                        individual can be notified at his request if 
                        the system of records contains a record 
                        pertaining to him, how he can gain access to 
                        such a record, or contest its content; and
                            ``(ix) the sources of records in the 
                        system;
                    ``(E) to the greatest extent practicable, ensure 
                that all records, including records from a third party 
                source, which are used by the agency in making any 
                determination about an individual are of such accuracy, 
                relevance, timeliness, and completeness as is 
                reasonably necessary to assure fairness to the 
                individual in the determination, and upon request of 
                the individual, provide documentation of the same;
                    ``(F) prior to disseminating any record about an 
                individual to any person other than an agency, unless 
                the dissemination is made pursuant to subsection (b)(2) 
                of this section, make reasonable efforts to assure that 
                such records are accurate, complete, timely, and 
                relevant for agency purposes;
                    ``(G) maintain no record describing how any 
                individual exercises rights guaranteed by the First 
                Amendment unless expressly authorized by statute or by 
                the individual about whom the record is maintained or 
                unless pertinent to, and within the scope of, an 
                authorized law enforcement activity;
                    ``(H) make reasonable efforts to notify an 
                individual as promptly as practicable after the agency 
                receives compulsory legal process for any record on the 
                individual, unless that notification is prohibited by 
                law or court order;
                    ``(I) establish rules of conduct for persons 
                involved in the design, development, operation, or 
                maintenance of any system of records, or in maintaining 
                any record, and instruct each such person with respect 
                to such rules and the requirements of this section, 
                including any other rules and procedures adopted 
                pursuant to this section and the penalties for 
                noncompliance;
                    ``(J) establish appropriate administrative, 
                technical, and physical safeguards to insure the 
                security and confidentiality of records and to protect 
                against any anticipated threats or hazards to their 
                security or integrity which could result in substantial 
                harm, embarrassment, inconvenience, or unfairness to 
                any individual on whom information is maintained;
                    ``(K) in regards to the establishment or revision 
                of a system of records under subparagraph (D)--
                            ``(i) at least 30 days prior to creation or 
                        modification of a system of records, publish 
                        the entire text of the proposed system of 
                        records notice in the Federal Register and on 
                        the centralized website established under 
                        subparagraph (D);
                            ``(ii) provide an opportunity for 
                        interested persons to submit written or 
                        electronic data, views, or arguments to the 
                        agency regarding the proposed system of records 
                        notice;
                            ``(iii) within 180 days after publication 
                        of a proposed system of records notice, publish 
                        on the centralized website established under 
                        subparagraph (D), a response to the comments 
                        received, along with notice of whether the 
                        system of records notice as published has taken 
                        effect; and
                            ``(iv) provide a link to the centralized 
                        website from the website of the agency,
                unless the Director of the Office of Management and 
                Budget, through the Federal Chief Privacy Officer 
                grants an exception, and that exception is published 
                promptly in the Federal Register and on the centralized 
                website established under subparagraph (D), including a 
                link from the agency's website;
                    ``(L) if such agency is a recipient agency or a 
                source agency in a matching program with a non-Federal 
                agency, with respect to any establishment or revision 
                of a matching program, at least 30 days prior to 
                conducting such program, publish in the Federal 
                Register notice of such establishment or revision;
                    ``(M) shall--
                            ``(i) maintain an inventory on the number 
                        and scope of the systems of records of that 
                        agency in a manner that clearly and fairly 
                        describes activities of the agency to 
                        individuals; and
                            ``(ii) ensure that the inventory--
                                    ``(I) is annually updated and 
                                published in the Federal Register, on 
                                the website established under 
                                subparagraph (D), and on the agency's 
                                website; and
                                    ``(II) does not contain any 
                                information that would be exempted from 
                                disclosure under this section or 
                                section 522 of this title; and
                    ``(N) make reasonable efforts to limit disclosure 
                from a system of records to minimum information 
                necessary to accomplish the purpose of the 
                disclosure.''.
    (e) Agency Rules.--Section 552a(f) of title 5, United States Code, 
is amended in the last sentence--
            (1) by striking ``biennially'' and inserting ``annually'';
            (2) by striking ``subsection (e)(4)'' and inserting 
        ``subsection (e)(2)(D)(iv)''; and
            (3) by striking ``at low cost'' and inserting 
        ``electronically, or at low cost physically''.
    (f) Civil Remedies.--Section 552a(g)(4) is amended--
            (1) by inserting ``and in which the complainant has 
        substantially prevailed'' after ``the agency acted in a manner 
        which was intentional or willful''; and
            (2) in subparagraph (A), by striking ``, but in no case 
        shall a person entitled to recovery receive less than the sum 
        of $1,000'' and inserting ``or the sum of $1,000, whichever is 
        greater, except that in a class action the minimum for each 
        individual shall be reduced as necessary to ensure that the 
        total recovery in any class action or series of class actions 
        arising out of the same refusal or failure to comply by the 
        same agency shall not be greater than $10,000,000''.
    (g) Criminal Penalties.--Section 552a(i) of title 5, United States 
Code, is amended--
            (1) in paragraph (1)--
                    (A) by inserting ``(A)'' before ``Any officer or 
                employee''; and
                    (B) by adding at the end the following:
                    ``(B) A person who commits the offense described 
                under subparagraph (A) with the intent to sell, 
                transfer, or use an agency record for commercial 
                advantage, personal gain, or malicious harm shall be 
                fined not more than $250,000, imprisoned for not more 
                than 10 years, or both.''; and
            (2) in paragraph (3), by striking ``misdemeanor and fined 
        not more than $5,000'' and inserting ``felony and fined not 
        more than $100,000, imprisoned for not more than 5 years, or 
        both''.
    (h) General Exemptions.--Section 552a(j) of title 5, United States 
Code, is amended by striking ``The head of any agency'' and inserting 
``Notwithstanding any requirements of a routine use as defined under 
subsection (a)(7), the head of any agency''.
    (i) Specific Exemptions.--Section 552a(k) of title 5, United States 
Code, is amended by striking ``The head of any agency'' and inserting 
``Notwithstanding any requirements of a routine use as defined under 
subsection (a)(7), the head of any agency''.
    (j) Archival Records.--Section 552a(l) of title 5, United States 
Code, is amended in paragraphs (2) and (3) by striking ``National 
Archives of the United States'' each place that term appears and 
inserting ``National Archives and Records Administration''.
    (k) Government Contractors.--Section 552(m)(1) of title 5, United 
States Code, is amended by striking ``for the operation by or on behalf 
of the agency of a system of records to accomplish an agency function'' 
and inserting ``or other agreement, including with another agency, for 
the maintenance of a system of records to accomplish an agency function 
on behalf of the agency''.
    (l) Office of Management and Budget Responsibilities.--Section 
552a(v) of title 5, United States Code, is amended--
            (1) in paragraph (1), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (2), by striking the period and inserting 
        ``; and''; and
            (3) by adding at the end the following:
            ``(3) establish and update a list of recommended standard 
        routine uses.''.

SEC. 3. AMENDMENTS TO THE E-GOVERNMENT ACT OF 2002.

    Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note; 
Public Law 107-347) is amended--
            (1) in subsection (b)--
                    (A) in paragraph (1)(A)--
                            (i) by striking clause (i) and inserting 
                        the following:
                            ``(i) developing, procuring, or otherwise 
                        making use of information technology that 
                        collects, maintains, or disseminates personally 
                        identifiable information; or'';
                            (ii) in clause (ii)(II)--
                                    (I) by striking ``information in an 
                                identifiable form'' and inserting 
                                ``personally identifiable 
                                information''; and
                                    (II) by striking ``, other than 
                                agencies, instrumentalities, or 
                                employees of the Federal Government.'' 
                                and inserting ``; and''; and
                            (iii) by adding at the end the following:
                            ``(iii) using personally identifiable 
                        information purchased, or subscribed to for a 
                        fee, from a commercial data source.''; and
                    (B) in paragraph (2)(B)--
                            (i) in clause (i), by striking 
                        ``information that is in an identifiable form'' 
                        and inserting ``personally identifiable 
                        information''; and
                            (ii) in clause (ii)--
                                    (I) in subclause (VI), by striking 
                                ``and'' at the end;
                                    (II) in subclause (VII), by 
                                striking the period and inserting ``; 
                                and''; and
                                    (III) by adding at the end the 
                                following:
                                    ``(VIII) to what extent risks to 
                                privacy protection are created by the 
                                use of the information and what steps 
                                have been taken to mitigate such 
                                risks.''; and
            (2) by striking subsection (d) and inserting the following:
    ``(d) Definition.--In this section, the term `personally 
identifiable information' means any information about an individual 
maintained by an agency, including--
            ``(1) any information that can be used to distinguish or 
        trace an individual's identity, such as name, social security 
        number, date and place of birth, mother's maiden name, or 
        biometric records; or
            ``(2) any other information that is linked or linkable to 
        an individual, such as medical, educational, financial, and 
        employment information.''.

SEC. 4. AMENDMENTS TO CHAPTERS 35 AND 36 OF TITLE 44, UNITED STATES 
              CODE.

    (a) Office of Management and Budget.--Section 3504 of title 44, 
United States Code, is amended--
            (1) in subsection (a)(1)(A)--
                    (A) in clause (iv), by inserting ``and'' after the 
                semicolon;
                    (B) by striking clause (v); and
                    (C) by redesignating clause (vi) as clause (v);
            (2) by striking subsection (g); and
            (3) by redesignating subsection (h) as subsection (g).
    (b) Federal Information Privacy Policy.--
            (1) In general.--Chapter 35 of title 44, United States 
        Code, is amended by adding at the end the following:

          ``SUBCHAPTER IV--FEDERAL INFORMATION PRIVACY POLICY

``Sec. 3561. Purposes
    ``The purposes of this subchapter are to--
            ``(1) ensure the consistent application of privacy 
        protections to personally identifiable information collected, 
        maintained, and used by all agencies;
            ``(2) strengthen the responsibility and accountability of 
        the Office of Management and Budget for overseeing privacy 
        protection in agencies;
            ``(3) improve agency responses to privacy breaches to 
        better inform and protect the public from the misuse of 
        personally identifiable information;
            ``(4) strengthen the responsibility and accountability of 
        agency officials for ensuring effective implementation of 
        privacy protection requirements; and
            ``(5) ensure that agency use of commercial sources of 
        information and information system services provides adequate 
        information security and privacy protections.
``Sec. 3562. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under section 3502 shall apply to this subchapter.
    ``(b) Additional Definitions.--In this subchapter--
            ``(1) the term `Council' means the Chief Privacy Officers 
        Council established under section 3567;
            ``(2) the term `personally identifiable information' means 
        any information about an individual maintained by an agency, 
        including--
                    ``(A) any information that can be used to 
                distinguish or trace an individual's identity, such as 
                name, social security number, date and place of birth, 
                mother's maiden name, or biometric records; and
                    ``(B) any other information that is linked or 
                linkable to an individual, such as medical, 
                educational, financial, and employment information; and
            ``(3) the term `data broker' means a person or entity that 
        for a fee regularly engages in the practice of collecting, 
        transmitting, or providing access to personally identifiable 
        information concerning more than 5,000 individuals who are not 
        the customers or employees of that person or entity (or an 
        affiliated entity) primarily for the purposes of providing such 
        information to non-affiliated third parties on an interstate 
        basis.
``Sec. 3563. Authority and functions of the Director
    ``(a) In fulfilling the responsibility to administer the functions 
assigned under subchapter I, the Director of the Office of Management 
and Budget shall comply with this subchapter with respect to the 
specific matters covered by this subchapter.
    ``(b) The Director shall oversee agency privacy protection policies 
and practices, including by--
            ``(1) developing and overseeing the implementation of 
        policies, principles, standards, and guidelines on privacy 
        protection;
            ``(2) providing direction and overseeing privacy, 
        confidentiality, security, disclosure, and sharing of 
        information;
            ``(3) overseeing agency compliance with laws relating to 
        privacy protection, including the requirements of this 
        subchapter, section 552a of title 5 (commonly referred to as 
        the Privacy Act), and section 208 of the E-Government Act of 
        2002;
            ``(4) coordinating privacy protection policies and 
        procedures with related information resources management 
        policies and procedures, including through ensuring that 
        privacy protection considerations are taken into account in 
        managing the collection of information and the control of 
        paperwork as provided under subchapter I; and
            ``(5) appointing a Federal Chief Privacy Officer under 
        section 3564.
``Sec. 3564. Specific responsibilities of the Federal Chief Privacy 
              Officer
    ``(a) Federal Chief Privacy Officer.--
            ``(1) Definitions.--In this section--
                    ``(A) the term `Senior Executive Service position' 
                has the meaning given under section 3132(a)(2) of title 
                5; and
                    ``(B) the term `noncareer appointee' has the 
                meaning given under section 3132(a)(7) of title 5.
            ``(2) Establishment.--There is established the position of 
        the Federal Chief Privacy Officer within the Office of 
        Management and Budget. The position shall be a Senior Executive 
        Service position. The Director shall appoint a noncareer 
        appointee to the position. The primary responsibilities of the 
        position shall be the responsibilities under subsection (b).
            ``(3) Qualifications.--The individual appointed to be the 
        Federal Chief Privacy Officer shall possess demonstrated 
        expertise in privacy protection policy and Government 
        information.
    ``(b) Responsibilities.--The Federal Chief Privacy Officer shall--
            ``(1) carry out the responsibilities of the Director under 
        this subchapter;
            ``(2) provide overall direction, consistent with the Office 
        of Management and Budget guidance, section 552a of title 5 
        (commonly referred to as the Privacy Act), and section 208 of 
        the E-Government Act of 2002, of privacy policy governing the 
        Federal Government's collection, use, sharing, disclosure, 
        transfer, storage, security, and disposition of personally 
        identifiable information;
            ``(3) to the extent that the Federal Chief Privacy Officer 
        considers appropriate, establish procedures to review and 
        approve privacy documentation before public dissemination;
            ``(4) serve as the principal advisor for Federal privacy 
        policy matters to the Executive Office of the President, 
        including the President, the Director, the National Security 
        Council, the Homeland Security Council, and the Office of 
        Science and Technology Policy;
            ``(5) coordinate with the Privacy and Civil Liberties 
        Oversight Board established under section 1061 of the 
        Intelligence Reform and Terrorism Prevention Act of 2004 (5 
        U.S.C. 601 note); and
            ``(6) every 2 years submit a report to Congress on the 
        protection of privacy by the United States Government, 
        including the status of implementation of requirements under 
        this subchapter and other privacy related laws and policies.
``Sec. 3565. Privacy breach requirements
    ``The Director shall establish and oversee policies and procedures 
for agencies to follow in the event of a breach of information security 
involving the disclosure of personally identifiable information and for 
which harm to an individual could reasonably be expected to result, 
including--
            ``(1) a requirement for timely notice to be provided to 
        those individuals whose personally identifiable information 
        could be compromised as a result of such breach, except no 
        notice shall be required if the breach does not create a 
        reasonable risk of identity theft, fraud, or other unlawful 
        conduct regarding such individual;
            ``(2) guidance on determining how timely notice is to be 
        provided;
            ``(3) guidance regarding whether additional actions are 
        necessary and appropriate, including data breach analysis, 
        fraud resolution services, identity theft insurance, and credit 
        protection or monitoring services; and
            ``(4) requirements for timely reporting by the agencies of 
        such breaches to the director and the Federal information 
        security incident center referred to in section 3546.
``Sec. 3566. Agency responsibilities
    ``(a) In General.--In addition to requirements under section 1062 
of the National Security Intelligence Reform Act of 2004, and in 
fulfilling the responsibilities under section 3506(g), the head of each 
agency shall ensure compliance with laws relating to privacy 
protection, including the requirements of this subchapter, section 552a 
of title 5 (commonly referred to as the Privacy Act), and section 208 
of the E-Government Act of 2002.
    ``(b) Chief Privacy Officers.--In the case of an agency that has 
not designated a Chief Privacy Officer under section 522 of the 
Transportation, Treasury, Independent Agencies and General Government 
Appropriations Act, 2005 (42 U.S.C. 2000ee-2), the head of each agency 
shall--
            ``(1) designate a senior official to be the chief privacy 
        officer of that agency; and
            ``(2) provide to the chief privacy officer such information 
        as the officer considers necessary.
    ``(c) Responsibilities of Agency Chief Privacy Officer.--Each chief 
privacy officer shall have primary responsibility for assuring the 
adequacy of privacy protections for personally identifiable information 
collected, used, or disclosed by the agency, including--
            ``(1) ensuring that the use of technologies sustain, and do 
        not erode, privacy protections relating to the use, collection, 
        and disclosure of personal information, including through the 
        conduct of privacy impact assessments as provided by section 
        208 of the E-Government Act of 2002;
            ``(2) ensuring that personal information is handled in full 
        compliance with fair information practices under section 552a 
        of title 5 (commonly referred to as the Privacy Act) and other 
        applicable laws and policies;
            ``(3) evaluating legislative and regulatory proposals 
        involving collection, use, and disclosure of personally 
        identifiable information;
            ``(4) coordinating with the chief information officer to 
        ensure that privacy is adequately addressed in the agency 
        information security program, established under section 3544;
            ``(5) coordinating with other senior officials to ensure 
        programs, policies, and procedures involving civil rights, 
        civil liberties, and privacy considerations addressed in an 
        integrated and comprehensive manner; and
            ``(6) reporting periodically to the head of the agency on 
        agency privacy protection activities.
``Sec. 3567. Chief Privacy Officers Council
    ``(a) Establishment.--There is established in the executive branch 
a Chief Privacy Officers Council.
    ``(b) Membership.--
            ``(1) In general.--The members of the Council shall be as 
        follows:
                    ``(A) The Federal Chief Privacy Officer, who shall 
                serve as chairperson of the Council.
                    ``(B) Chief Privacy Officers established under 
                section 522 of division H of the Consolidated 
                Appropriations Act, 2005 (42 U.S.C. 2000ee-2; Public 
                Law 108-447).
                    ``(C) The chairperson of the Privacy and Civil 
                Liberties Oversight Board.
                    ``(D) As designated by the chairperson of the 
                Council, any senior agency official designated to be a 
                chief privacy officer under section 3566.
                    ``(E) The Administrator of the Office of Electronic 
                Government, as an ex-officio member.
                    ``(F) The Administrator of the Office of 
                Information and Regulatory Affairs, as an ex-officio 
                member.
                    ``(G) Any other officer or employee of the United 
                States designated by the chairperson.
            ``(2) Ex-officio members.--An ex-officio member may not 
        vote in Council proceedings.
    ``(c) Administrative Support.--The Administrator of the General 
Services shall provide administrative and other support for the 
Council.
    ``(d) Functions.--The Council shall--
            ``(1) be an interagency forum for establishing best 
        practices for agency privacy policy;
            ``(2) share, and promote the development of, best practices 
        to assure that the use of technologies sustains, and does not 
        erode, privacy protections relating to the use, collection, and 
        disclosure of personal information; assure that personal 
        information contained in systems of records are handled in full 
        compliance with fair information practices; and evaluate 
        legislative and regulatory proposals involving collection, use, 
        and disclosure of personal information by the Federal 
        Government; and
            ``(3) submit proposed improvements to privacy practices to 
        the Director.''.
            (2) Technical and conforming amendment.--The table of 
        sections for chapter 35 of title 44, United States Code, is 
        amended by adding at the end the following:

           ``subchapter iv--federal information privacy policy

``Sec.
``3561. Purposes.
``3562. Definitions.
``3563. Authority and functions of the Director.
``3564. Specific responsibilities of the Chief Privacy Officer.
``3565. Privacy breach requirements.
``3566. Agency responsibilities.
``3567. Chief Privacy Officers Council.''.
    (c) Electronic Government.--Section 3602(d) of title 44, United 
States Code, is amended by inserting ``and the Federal Chief Privacy 
Officer'' after ``Information and Regulatory Affairs''.

SEC. 5. AMENDMENTS TO SECTION 1062 OF THE NATIONAL INTELLIGENCE REFORM 
              ACT OF 2004.

    Section 1062 of the National Intelligence Reform Act of 2004 (42 
U.S.C. 2000ee-1) is amended--
            (1) by redesignating subsection (d) through (h) as 
        subsections (e) through (i); and
            (2) by striking subsection (c) and inserting the following:
    ``(c) Authority To Investigate.--
            ``(1) In general.--Each privacy officer or civil liberties 
        officer described under subsection (a) or (b) may--
                    ``(A) have access to all records, reports, audits, 
                reviews, documents, papers, recommendations, and other 
                materials available to the Department, agency, or 
                element of the executive branch that relate to programs 
                and operations with respect to the responsibilities of 
                the senior official under this section;
                    ``(B) make such investigations and reports relating 
                to the administration of the programs and operations of 
                the Department, agency, or element of the executive 
                branch as are, in the senior official's judgment, 
                necessary or desirable;
                    ``(C) subject to the approval of the Secretary or 
                head of the agency or element of the executive branch, 
                require by subpoena the production, by any person other 
                than a Federal agency, of all information, documents, 
                reports, answers, records, accounts, papers, and other 
                data and documentary evidence necessary to performance 
                of the responsibilities of the senior official under 
                this section; and
                    ``(D) administer to or take from any person an 
                oath, affirmation, or affidavit, whenever necessary to 
                performance of the responsibilities of the senior 
                official under this section.
            ``(2) Enforcement of subpoenas.--Any subpoena issued under 
        paragraph (1)(C) shall, in the case of contumacy or refusal to 
        obey, be enforceable by order of any appropriate United States 
        district court.
            ``(3) Effect of oaths.--Any oath, affirmation, or affidavit 
        administered or taken under paragraph (1)(D) by or before an 
        employee of the Privacy Office designated for that purpose by 
        the senior official appointed under subsection (a) shall have 
        the same force and effect as if administered or taken by or 
        before an officer having a seal of office.
    ``(d) Supervision and Coordination.--
            ``(1) In general.--Each privacy officer or civil liberties 
        officer described under subsection (a) or (b) shall--
                    ``(A) report to, and be under the general 
                supervision of, the Secretary; and
                    ``(B) coordinate activities with the Inspector 
                General of the Department in order to avoid duplication 
                of effort.
            ``(2) Coordination with the inspector general.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), the senior official appointed under 
                subsection (a) may investigate any matter relating to 
                possible violations or abuse concerning the 
                administration of any program or operation of the 
                Department, agency, or element of the executive branch 
                relevant to the purposes under this section.
                    ``(B) Coordination.--
                            ``(i) Referral.--Before initiating any 
                        investigation described under subparagraph (A), 
                        the senior official shall refer the matter and 
                        all related complaints, allegations, and 
                        information to the Inspector General of the 
                        Department, agency, or element of the executive 
                        branch.
                            ``(ii) Determinations and notifications by 
                        the inspector general.--Not later than 30 days 
                        after the receipt of a matter referred under 
                        clause (i), the Inspector General shall--
                                    ``(I) make a determination 
                                regarding whether the Inspector General 
                                intends to initiate an audit or 
                                investigation of the matter referred 
                                under clause (i); and
                                    ``(II) notify the senior official 
                                of that determination.''.
                                 <all>