1.This Act may be cited as
the Privacy Act Modernization for the
Information Age Act of 2011
.
2.Amendments to
the Privacy Act
(a)Section
552a(a) of title 5, United States Code (commonly referred to as the Privacy
Act), is amended—
(1)in paragraph (4),
by striking that is maintained by an agency, including, but not limited
to, his
and inserting , including
;
(2)by striking
paragraph (5) and inserting the following:
(5)the term
system of records means a group of any records maintained by, or
otherwise under the control of any agency that is used for any authorized
purpose by or on behalf of the
agency;
;
(3)by striking
paragraph (7) and inserting the following:
(7)the term
routine use means, with respect to the disclosure of a record, the
use of such record for a purpose which, as determined by the agency, is
compatible with the purpose for which it was collected and is appropriate and
reasonably necessary for the efficient and effective conduct of
Government;
;
and
(4)in paragraph
(8)(A)(i)—
(A)by striking
two or more automated systems of records or a system of records with
non-Federal records
and inserting data from a system of
records
;
(B)in subclause (I),
by inserting or State
after Federal
; and
(C)in subclause
(II), by inserting or State
after Federal
.
(b)Section 552a(b) of title 5, United States Code, is
amended—
(1)in paragraph (1),
by inserting that is consistent with, and related to, any purpose
described under subsection (e)(2)(D) of this section
before the
semicolon;
(2)in paragraph (3),
by striking (e)(4)(D)
and inserting (e)(2)(D)(iv) or
subsection (v)
;
(3)in paragraph (6),
by inserting or for records management inspections authorized by
statute
before the semicolon;
(4)in paragraph (7),
by inserting , notwithstanding any requirements of a routine use as
defined under subsection (a)(7),
before to another
agency
;
(5)in paragraph (8),
by striking upon such disclosure notification is transmitted to the last
known address of such individual
and inserting a reasonable
attempt to notify the individual is made promptly after the disclosure
;
and
(6)by striking
paragraph (9) and inserting the following:
(9)(A)to either House of
Congress;
(B)to the extent of matter within its
jurisdiction, any committee or subcommittee thereof, any joint committee of
Congress or subcommittee of any such joint committee; or
(C)to the office of a Member of Congress
when that office is requesting records about a specific individual on behalf of
that individual in response to a written request for assistance by that
individual;
.
(c)Accounting of
certain disclosuresSection 552a(c) of title 5, United States
Code, is amended by inserting whether in an electronic or other
format
after system of records under its control
.
(d)Section 552a of title 5, United States Code, is
amended by striking subsection (e) and inserting the following:
(e)
(1)No agency shall use a record except for an authorized
purpose and as maintained in a system of records under this section.
(2)Each
agency shall—
(A)maintain in its
records only such information about an individual as is relevant and necessary
to accomplish any specified purpose of the agency required to be accomplished
by statute or by executive order of the President, and only retain such
information as long as is necessary to fulfill that purpose or as otherwise
required by law;
(B)collect
information to the greatest extent practicable directly from the subject
individual when the information may result in adverse determinations about an
individual’s rights, benefits, and privileges;
(C)inform each
individual whom it asks to supply information creating a record, at the time
the information is requested—
(i)the authority
(whether granted by statute or by executive order of the President) which
authorizes the solicitation of the information and whether disclosure of such
information is voluntary or required to receive a right, benefit, or
privilege;
(ii)the principal
purpose or purposes for which the information is intended to be used;
(iii)the routine
uses which may be made of the information, as published under subparagraph
(D)(iv);
(iv)any effects on
that individual of not providing all or any part of the requested
information;
(v)the procedures
and contact information for accessing or correcting such information;
and
(vi)a reference to
learning how such information will be used or disclosed, including the simplest
access to the current system of records notice;
(D)subject to the
provisions of subparagraph (K), publish in the Federal Register, make broadly
accessible to the public through a centralized website maintained by the Office
of Management and Budget, and link to such centralized website from each
agency’s website, upon establishment or revision a notice of the existence and
character of the system of records, which notice shall include—
(i)the name and
location of the system;
(ii)the categories
of individuals on whom records are maintained in the system;
(iii)the categories
of records maintained in the system;
(iv)any purpose for
which the information is intended to be used, including each routine
use;
(v)the legal
authority for any purpose for which the information is utilized granted by
statute, executive order, or other authorization;
(vi)the policies and
practices of the agency regarding storage, retrievability, access controls,
retention, and disposal of the records;
(vii)the title and
business address of the agency official who is responsible for the system of
records;
(viii)the agency
procedures whereby an individual can be notified at his request if the system
of records contains a record pertaining to him, how he can gain access to such
a record, or contest its content; and
(ix)the sources of
records in the system;
(E)to the greatest
extent practicable, ensure that all records, including records from a third
party source, which are used by the agency in making any determination about an
individual are of such accuracy, relevance, timeliness, and completeness as is
reasonably necessary to assure fairness to the individual in the determination,
and upon request of the individual, provide documentation of the same;
(F)prior to
disseminating any record about an individual to any person other than an
agency, unless the dissemination is made pursuant to subsection (b)(2) of this
section, make reasonable efforts to assure that such records are accurate,
complete, timely, and relevant for agency purposes;
(G)maintain no
record describing how any individual exercises rights guaranteed by the First
Amendment unless expressly authorized by statute or by the individual about
whom the record is maintained or unless pertinent to, and within the scope of,
an authorized law enforcement activity;
(H)make reasonable
efforts to notify an individual as promptly as practicable after the agency
receives compulsory legal process for any record on the individual, unless that
notification is prohibited by law or court order;
(I)establish rules
of conduct for persons involved in the design, development, operation, or
maintenance of any system of records, or in maintaining any record, and
instruct each such person with respect to such rules and the requirements of
this section, including any other rules and procedures adopted pursuant to this
section and the penalties for noncompliance;
(J)establish
appropriate administrative, technical, and physical safeguards to insure the
security and confidentiality of records and to protect against any anticipated
threats or hazards to their security or integrity which could result in
substantial harm, embarrassment, inconvenience, or unfairness to any individual
on whom information is maintained;
(K)in regards to the
establishment or revision of a system of records under subparagraph (D)—
(i)at least 30 days
prior to creation or modification of a system of records, publish the entire
text of the proposed system of records notice in the Federal Register and on
the centralized website established under subparagraph (D);
(ii)provide an
opportunity for interested persons to submit written or electronic data, views,
or arguments to the agency regarding the proposed system of records
notice;
(iii)within 180 days
after publication of a proposed system of records notice, publish on the
centralized website established under subparagraph (D), a response to the
comments received, along with notice of whether the system of records notice as
published has taken effect; and
(iv)provide a link
to the centralized website from the website of the agency,
unless
the Director of the Office of Management and Budget, through the Federal Chief
Privacy Officer grants an exception, and that exception is published promptly
in the Federal Register and on the centralized website established under
subparagraph (D), including a link from the agency’s website;(L)if such agency is
a recipient agency or a source agency in a matching program with a non-Federal
agency, with respect to any establishment or revision of a matching program, at
least 30 days prior to conducting such program, publish in the Federal Register
notice of such establishment or revision;
(M)shall—
(i)maintain an
inventory on the number and scope of the systems of records of that agency in a
manner that clearly and fairly describes activities of the agency to
individuals; and
(ii)ensure that the
inventory—
(I)is annually
updated and published in the Federal Register, on the website established under
subparagraph (D), and on the agency’s website; and
(II)does not contain
any information that would be exempted from disclosure under this section or
section 522 of this title; and
(N)make reasonable
efforts to limit disclosure from a system of records to minimum information
necessary to accomplish the purpose of the
disclosure.
.
(e)Section 552a(f) of title 5, United States Code, is amended
in the last sentence—
(1)by striking
biennially
and inserting annually
;
(2)by striking
subsection (e)(4)
and inserting subsection
(e)(2)(D)(iv)
; and
(3)by striking
at low cost
and inserting electronically, or at low cost
physically
.
(f)Section 552a(g)(4) is amended—
(1)by inserting
and in which the complainant has substantially prevailed
after
the agency acted in a manner which was intentional or willful
;
and
(2)in subparagraph
(A), by striking , but in no case shall a person entitled to recovery
receive less than the sum of $1,000
and inserting or the sum of
$1,000, whichever is greater, except that in a class action the minimum for
each individual shall be reduced as necessary to ensure that the total recovery
in any class action or series of class actions arising out of the same refusal
or failure to comply by the same agency shall not be greater than
$10,000,000
.
(g)Section 552a(i) of title 5, United States Code, is
amended—
(1)in paragraph
(1)—
(A)by inserting
(A)
before Any officer or employee
; and
(B)by adding at the
end the following:
(B)A person who
commits the offense described under subparagraph (A) with the intent to sell,
transfer, or use an agency record for commercial advantage, personal gain, or
malicious harm shall be fined not more than $250,000, imprisoned for not more
than 10 years, or both.
;
and
(2)in paragraph (3),
by striking misdemeanor and fined not more than $5,000
and
inserting felony and fined not more than $100,000, imprisoned for not
more than 5 years, or both
.
(h)Section 552a(j) of title 5, United States Code, is
amended by striking The head of any agency
and inserting
Notwithstanding any requirements of a routine use as defined under
subsection (a)(7), the head of any agency
.
(i)Section 552a(k) of title 5, United States Code, is
amended by striking The head of any agency
and inserting
Notwithstanding any requirements of a routine use as defined under
subsection (a)(7), the head of any agency
.
(j)Section 552a(l) of
title 5, United States Code, is amended in paragraphs (2) and (3) by striking
National Archives of the United States
each place that term
appears and inserting National Archives and Records
Administration
.
(k)Section 552(m)(1)
of title 5, United States Code, is amended by striking for the operation
by or on behalf of the agency of a system of records to accomplish an agency
function
and inserting or other agreement, including with
another agency, for the maintenance of a system of records to accomplish an
agency function on behalf of the agency
.
(l)Office of
management and budget responsibilitiesSection 552a(v) of title 5, United States
Code, is amended—
(1)in paragraph (1),
by striking and
after the semicolon;
(2)in paragraph (2),
by striking the period and inserting ; and
; and
(3)by adding at the
end the following:
(3)establish and
update a list of recommended standard routine
uses.
.
3.Amendments to
the E-Government Act of 2002Section 208 of the E-Government Act of 2002
(44 U.S.C. 3501 note; Public Law 107–347) is amended—
(1)in subsection
(b)—
(A)in paragraph
(1)(A)—
(i)by
striking clause (i) and inserting the following:
(i)developing,
procuring, or otherwise making use of information technology that collects,
maintains, or disseminates personally identifiable information;
or
;
(ii)in
clause (ii)(II)—
(I)by striking
information in an identifiable form
and inserting
personally identifiable information
; and
(II)by striking
, other than agencies, instrumentalities, or employees of the Federal
Government.
and inserting ; and
; and
(iii)by adding at
the end the following:
(iii)using
personally identifiable information purchased, or subscribed to for a fee, from
a commercial data source.
;
and
(B)in paragraph
(2)(B)—
(i)in
clause (i), by striking information that is in an identifiable
form
and inserting personally identifiable information
;
and
(ii)in
clause (ii)—
(I)in subclause
(VI), by striking and
at the end;
(II)in subclause
(VII), by striking the period and inserting ; and
; and
(III)by adding at
the end the following:
(VIII)to what extent
risks to privacy protection are created by the use of the information and what
steps have been taken to mitigate such
risks.
;
and
(2)by striking
subsection (d) and inserting the following:
(d)In
this section, the term personally identifiable information means
any information about an individual maintained by an agency, including—
(1)any information
that can be used to distinguish or trace an individual’s identity, such as
name, social security number, date and place of birth, mother’s maiden name, or
biometric records; or
(2)any other
information that is linked or linkable to an individual, such as medical,
educational, financial, and employment
information.
.
4.Amendments to
chapters 35 and 36 of title 44, United States Code
(a)Office of
Management and BudgetSection 3504 of title 44, United States
Code, is amended—
(1)in subsection
(a)(1)(A)—
(A)in clause (iv),
by inserting and
after the semicolon;
(B)by striking
clause (v); and
(C)by redesignating
clause (vi) as clause (v);
(2)by striking
subsection (g); and
(3)by redesignating
subsection (h) as subsection (g).
(b)Federal
information privacy policy
(1)Chapter 35 of title 44, United States Code, is amended by
adding at the end the following:
IVFederal
information privacy policy
3561.The purposes of this subchapter are
to—
(1)ensure the
consistent application of privacy protections to personally identifiable
information collected, maintained, and used by all agencies;
(2)strengthen the
responsibility and accountability of the Office of Management and Budget for
overseeing privacy protection in agencies;
(3)improve agency
responses to privacy breaches to better inform and protect the public from the
misuse of personally identifiable information;
(4)strengthen the
responsibility and accountability of agency officials for ensuring effective
implementation of privacy protection requirements; and
(5)ensure that
agency use of commercial sources of information and information system services
provides adequate information security and privacy protections.
3562.
(a)Except as provided under subsection (b), the definitions
under section 3502 shall apply to this subchapter.
(b)In this subchapter—
(1)the term
Council means the Chief Privacy Officers Council established under
section 3567;
(2)the term
personally identifiable information means any information about an
individual maintained by an agency, including—
(A)any information
that can be used to distinguish or trace an individual’s identity, such as
name, social security number, date and place of birth, mother’s maiden name, or
biometric records; and
(B)any other
information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information; and
(3)the term
data broker means a person or entity that for a fee regularly
engages in the practice of collecting, transmitting, or providing access to
personally identifiable information concerning more than 5,000 individuals who
are not the customers or employees of that person or entity (or an affiliated
entity) primarily for the purposes of providing such information to
non-affiliated third parties on an interstate basis.
3563.Authority and
functions of the Director
(a)In fulfilling the
responsibility to administer the functions assigned under subchapter I, the
Director of the Office of Management and Budget shall comply with this
subchapter with respect to the specific matters covered by this
subchapter.
(b)The Director
shall oversee agency privacy protection policies and practices, including
by—
(1)developing and
overseeing the implementation of policies, principles, standards, and
guidelines on privacy protection;
(2)providing
direction and overseeing privacy, confidentiality, security, disclosure, and
sharing of information;
(3)overseeing agency
compliance with laws relating to privacy protection, including the requirements
of this subchapter, section 552a of title 5 (commonly referred to as the
Privacy Act), and section 208 of the E-Government Act of 2002;
(4)coordinating
privacy protection policies and procedures with related information resources
management policies and procedures, including through ensuring that privacy
protection considerations are taken into account in managing the collection of
information and the control of paperwork as provided under subchapter I;
and
(5)appointing a
Federal Chief Privacy Officer under section 3564.
3564.Specific
responsibilities of the Federal Chief Privacy Officer
(a)Federal Chief
Privacy Officer
(1)In
this section—
(A)the term
Senior Executive Service position has the meaning given under
section 3132(a)(2) of title 5; and
(B)the term
noncareer appointee has the meaning given under section 3132(a)(7)
of title 5.
(2)There
is established the position of the Federal Chief Privacy Officer within the
Office of Management and Budget. The position shall be a Senior Executive
Service position. The Director shall appoint a noncareer appointee to the
position. The primary responsibilities of the position shall be the
responsibilities under subsection (b).
(3)The
individual appointed to be the Federal Chief Privacy Officer shall possess
demonstrated expertise in privacy protection policy and Government
information.
(b)The
Federal Chief Privacy Officer shall—
(1)carry out the
responsibilities of the Director under this subchapter;
(2)provide overall
direction, consistent with the Office of Management and Budget guidance,
section 552a of title 5 (commonly referred to as the Privacy Act), and section
208 of the E-Government Act of 2002, of privacy policy governing the Federal
Government’s collection, use, sharing, disclosure, transfer, storage, security,
and disposition of personally identifiable information;
(3)to the extent
that the Federal Chief Privacy Officer considers appropriate, establish
procedures to review and approve privacy documentation before public
dissemination;
(4)serve as the
principal advisor for Federal privacy policy matters to the Executive Office of
the President, including the President, the Director, the National Security
Council, the Homeland Security Council, and the Office of Science and
Technology Policy;
(5)coordinate with
the Privacy and Civil Liberties Oversight Board established under section 1061
of the Intelligence Reform and Terrorism Prevention Act of 2004 (5 U.S.C. 601
note); and
(6)every 2 years
submit a report to Congress on the protection of privacy by the United States
Government, including the status of implementation of requirements under this
subchapter and other privacy related laws and policies.
3565.Privacy
breach requirementsThe
Director shall establish and oversee policies and procedures for agencies to
follow in the event of a breach of information security involving the
disclosure of personally identifiable information and for which harm to an
individual could reasonably be expected to result, including—
(1)a requirement for
timely notice to be provided to those individuals whose personally identifiable
information could be compromised as a result of such breach, except no notice
shall be required if the breach does not create a reasonable risk of identity
theft, fraud, or other unlawful conduct regarding such individual;
(2)guidance on
determining how timely notice is to be provided;
(3)guidance
regarding whether additional actions are necessary and appropriate, including
data breach analysis, fraud resolution services, identity theft insurance, and
credit protection or monitoring services; and
(4)requirements for
timely reporting by the agencies of such breaches to the director and the
Federal information security incident center referred to in section
3546.
3566.
(a)In addition to
requirements under section 1062 of the National Security Intelligence Reform
Act of 2004, and in fulfilling the responsibilities under section 3506(g), the
head of each agency shall ensure compliance with laws relating to privacy
protection, including the requirements of this subchapter, section 552a of
title 5 (commonly referred to as the Privacy Act), and section 208 of the
E-Government Act of 2002.
(b)In the case of an
agency that has not designated a Chief Privacy Officer under section 522 of the
Transportation, Treasury, Independent Agencies and General Government
Appropriations Act, 2005 (42 U.S.C. 2000ee–2), the head of each agency
shall—
(1)designate a
senior official to be the chief privacy officer of that agency; and
(2)provide to the
chief privacy officer such information as the officer considers
necessary.
(c)Responsibilities
of agency chief privacy officerEach chief privacy officer shall
have primary responsibility for assuring the adequacy of privacy protections
for personally identifiable information collected, used, or disclosed by the
agency, including—
(1)ensuring that the
use of technologies sustain, and do not erode, privacy protections relating to
the use, collection, and disclosure of personal information, including through
the conduct of privacy impact assessments as provided by section 208 of the
E-Government Act of 2002;
(2)ensuring that
personal information is handled in full compliance with fair information
practices under section 552a of title 5 (commonly referred to as the Privacy
Act) and other applicable laws and policies;
(3)evaluating
legislative and regulatory proposals involving collection, use, and disclosure
of personally identifiable information;
(4)coordinating with
the chief information officer to ensure that privacy is adequately addressed in
the agency information security program, established under section 3544;
(5)coordinating with
other senior officials to ensure programs, policies, and procedures involving
civil rights, civil liberties, and privacy considerations addressed in an
integrated and comprehensive manner; and
(6)reporting
periodically to the head of the agency on agency privacy protection
activities.
3567.Chief Privacy
Officers Council
(a)There
is established in the executive branch a Chief Privacy Officers Council.
(b)
(1)The members of the Council shall be as follows:
(A)The Federal Chief
Privacy Officer, who shall serve as chairperson of the Council.
(B)Chief Privacy
Officers established under section 522 of division H of the Consolidated
Appropriations Act, 2005 (42 U.S.C. 2000ee–2; Public Law 108–447).
(C)The chairperson
of the Privacy and Civil Liberties Oversight Board.
(D)As designated by
the chairperson of the Council, any senior agency official designated to be a
chief privacy officer under section 3566.
(E)The Administrator
of the Office of Electronic Government, as an ex-officio member.
(F)The Administrator
of the Office of Information and Regulatory Affairs, as an ex-officio
member.
(G)Any other officer
or employee of the United States designated by the chairperson.
(2)An ex-officio member may not vote in Council
proceedings.
(c)The Administrator of the General Services shall provide
administrative and other support for the Council.
(d)The
Council shall—
(1)be an interagency
forum for establishing best practices for agency privacy policy;
(2)share, and
promote the development of, best practices to assure that the use of
technologies sustains, and does not erode, privacy protections relating to the
use, collection, and disclosure of personal information; assure that personal
information contained in systems of records are handled in full compliance with
fair information practices; and evaluate legislative and regulatory proposals
involving collection, use, and disclosure of personal information by the
Federal Government; and
(3)submit proposed
improvements to privacy practices to the
Director.
.
(2)Technical and
conforming amendmentThe table of sections for chapter 35 of
title 44, United States Code, is amended by adding at the end the
following:
SUBCHAPTER IV—Federal information privacy policy
Sec.
3561. Purposes.
3562. Definitions.
3563. Authority and functions of the Director.
3564. Specific responsibilities of the Chief Privacy
Officer.
3565. Privacy breach requirements.
3566. Agency responsibilities.
3567. Chief Privacy Officers
Council.
.
(c)Section 3602(d) of
title 44, United States Code, is amended by inserting and the Federal
Chief Privacy Officer
after Information and Regulatory
Affairs
.
5.Amendments to
section 1062 of the National Intelligence Reform Act of 2004Section 1062 of the National Intelligence
Reform Act of 2004 (42 U.S.C. 2000ee–1) is amended—
(1)by redesignating subsection (d) through (h)
as subsections (e) through (i); and
(2)by striking
subsection (c) and inserting the following:
(c)
(1)Each privacy officer or civil liberties officer described
under subsection (a) or (b) may—
(A)have access to
all records, reports, audits, reviews, documents, papers, recommendations, and
other materials available to the Department, agency, or element of the
executive branch that relate to programs and operations with respect to the
responsibilities of the senior official under this section;
(B)make such
investigations and reports relating to the administration of the programs and
operations of the Department, agency, or element of the executive branch as
are, in the senior official's judgment, necessary or desirable;
(C)subject to the
approval of the Secretary or head of the agency or element of the executive
branch, require by subpoena the production, by any person other than a Federal
agency, of all information, documents, reports, answers, records, accounts,
papers, and other data and documentary evidence necessary to performance of the
responsibilities of the senior official under this section; and
(D)administer to or
take from any person an oath, affirmation, or affidavit, whenever necessary to
performance of the responsibilities of the senior official under this
section.
(2)Any subpoena issued under paragraph (1)(C) shall, in
the case of contumacy or refusal to obey, be enforceable by order of any
appropriate United States district court.
(3)Any oath, affirmation, or affidavit administered or taken
under paragraph (1)(D) by or before an employee of the Privacy Office
designated for that purpose by the senior official appointed under subsection
(a) shall have the same force and effect as if administered or taken by or
before an officer having a seal of office.
(d)Supervision and
coordination
(1)Each privacy officer or civil liberties officer described
under subsection (a) or (b) shall—
(A)report to, and be
under the general supervision of, the Secretary; and
(B)coordinate
activities with the Inspector General of the Department in order to avoid
duplication of effort.
(2)Coordination
with the Inspector General
(A)Except as provided in subparagraph (B), the senior
official appointed under subsection (a) may investigate any matter relating to
possible violations or abuse concerning the administration of any program or
operation of the Department, agency, or element of the executive branch
relevant to the purposes under this section.
(B)
(i)Before
initiating any investigation described under subparagraph (A), the senior
official shall refer the matter and all related complaints, allegations, and
information to the Inspector General of the Department, agency, or element of
the executive branch.
(ii)Determinations
and notifications by the Inspector GeneralNot later than 30 days
after the receipt of a matter referred under clause (i), the Inspector General
shall—
(I)make a
determination regarding whether the Inspector General intends to initiate an
audit or investigation of the matter referred under clause (i); and
(II)notify the
senior official of that
determination.
.