[Congressional Record Volume 157, Number 156 (Tuesday, October 18, 2011)]
[Senate]
[Pages S6668-S6672]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. AKAKA:
  S. 1732. A bill to amend section 552a of title 5, United States Code 
(commonly referred to as the Privacy Act), the E-Government Act of 2002 
(Public Law 107-347), and chapters 35 and 36 of title 44, United States 
Code, and other provisions of law to modernize and improve Federal 
privacy laws; to the Committee on Homeland Security and Governmental 
Affairs.

  Mr. AKAKA. Mr. President, today I am introducing the Privacy Act 
Modernization for the Information Age Act of 2011.
  In 1974, Congress enacted the Privacy Act to protect Americans' 
personal information from improper disclosure by the Federal 
government. Broadly, the Privacy Act requires that government agencies 
allow individuals to see any records an agency keeps on him or her, 
with some exceptions for security and law enforcement, limits the 
extent to which the government may share data with and agencies and 
third parties, allows individuals to access and correct their records, 
requires agencies to provide notice of what data is collected and how 
it is used and to keep records of disclosures, and provides individuals 
the ability to enforce their rights under the act.
  With the expansion of technology and the proliferation of personally 
identifiable information in the hands of government agencies, the risk 
of losing, abusing, or misusing information has grown exponentially. In 
particular, over the last 10 years security needs have created pressure 
on agencies to use existing personal information in new ways, not 
contemplated when the information was collected. The growth in the 
business of buying and selling individuals' information also raises new 
questions about the extent to which the Privacy Act applies to these 
sources of data on individuals used by the government. Meanwhile, there 
have been few updates to the Privacy Act, leaving it better suited to 
file cabinets and clunky 30 year old databases than the modern 
information technology systems in use at agencies today.
  In 2008, the Government Accountability Office, GAO, released a report 
that I requested entitled, ``Privacy: Alternatives Exist for Enhancing 
Protection of Personally Identifiable Information'', GAO-08-536. GAO 
later testified about its findings at a Homeland Security and 
Governmental Affairs Committee hearing where it identified issues in 
three main areas that could be enhanced: applying privacy protections 
consistently to all Federal collection and use of personal information; 
ensuring that collection and use of personally identifiable information 
is limited to a stated purpose; and establishing effective mechanisms 
for informing the public about privacy protections.
  After examining these recommendations and consulting with outside 
privacy experts, working groups, and privacy and civil liberties 
advocates, I am introducing the Privacy Act Modernization for the 
Information Age Act of 2011. This bill addresses the issues raised by 
GAO, adds stronger privacy leadership at the Office of Management and 
Budget to ensure effective execution of the Privacy Act, and extends 
authority for privacy officers to investigate possible violations of 
privacy laws.
  This bill updates the Privacy Act in several ways. It simplifies some 
of the definitions to apply them to modern information technology 
management ideas that were in their infancy in 1974. It also tightens 
requirements for agency controls and maintenance of records to ensure 
their use is authorized, and that personally identifiable information 
is not misused.
  Agencies would also be more accountable to the public in protecting 
information. Notifications of systems with personally identifiable 
information would be more relevant, transparent, and accessible, 
allowing Americans to know which agencies may have what information 
about them and in what systems. Importantly, the bill would create a 
centralized privacy website containing System of Records Notices and 
other related privacy information.
  If civil or criminal violations of the Privacy Act do occur, the 
penalties have been updated to reflect similar penalties in other laws. 
The bill would also clarify Congress's intent in the statutory damages 
provision in the Privacy Act by overturning Doe v. Chao, in which the 
Supreme Court, I believe wrongly, held that an individual has to show 
actual damages resulted from an intentional or willful improper 
disclosure of personal information in order to receive an award.
  My bill also builds on important new privacy protections introduced 
in the E-Government Act of 2002, which established a requirement for a 
Privacy Impact Assessment on certain new systems developed at agencies 
that contain personally identifiable information. It also codifies the 
term ``personally identifiable information,'' which has been defined by 
the Office of Management and Budget, OMB, for years in conjunction with 
the Privacy Act. This will let us focus on protecting personally 
identifiable information rather than defining it.
  The Privacy Act Modernization for the Information Age Act of 2011 
would expand a successful tool given to the Department of Homeland 
Security, DHS, Chief Privacy Officer, CPO, to other major agency CPOs. 
In 2008, I championed the POWER Act, which gave the DHS CPO the 
authority to investigate possible violations of privacy laws if an 
Inspector General declines to investigate. I am pleased to say this 
authority has not been abused, and in fact has been used only once at 
DHS where its Inspector General inadvertently experienced a minor data 
breach, and the CPO investigated the issue. This is a useful tool that 
I believe other privacy offices overseeing massive amounts of 
personally identifiable information could benefit from.
  Finally, my bill would create a strong Federal Chief Privacy Officer, 
FCPO, at OMB as well as a government-wide Chief Privacy Officers 
Council, to fill the wide gaps in government-wide privacy leadership 
and ensure consistent development of policies and guidance on the 
Privacy Act across agencies. The FCPO position existed under President 
Clinton, but it has not been replicated by subsequent administrations. 
I have been impressed with DHS's leadership on privacy issues, thanks 
to tools we have put into law and the resources we have provided. It is 
equally important to enhance government-wide leadership through the 
FCPO and the Chief Privacy Officers Council, which will create a better 
environment to share ideas across agencies.
  This bill would be an important step forward in modernizing how 
government agencies execute their obligations to protect the personal 
information provided to them by all Americans. With the proliferation 
of data about every one of us online, and possibly creeping into 
government databases, we need more transparency so the average person 
has a place to go to learn about what information the government is 
keeping and how they can access that information. I urge my colleagues 
to support this effort and to continue to work with me and the Homeland 
Security and Governmental Affairs Committee to produce legislation to 
improve Federal privacy before this Congress adjourns.

[[Page S6669]]

  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 1732

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Privacy Act Modernization 
     for the Information Age Act of 2011''.

     SEC. 2. AMENDMENTS TO THE PRIVACY ACT.

       (a) Definitions.--Section 552a (a) of title 5, United 
     States Code, (commonly referred to as the Privacy Act), is 
     amended--
       (1) in paragraph (4), by striking ``that is maintained by 
     an agency, including, but not limited to, his'' and inserting 
     ``, including'';
       (2) by striking paragraph (5) and inserting the following:
       ``(5) the term `system of records' means a group of any 
     records maintained by, or otherwise under the control of any 
     agency that is used for any authorized purpose by or on 
     behalf of the agency;''.
       (3) by striking paragraph (7) and inserting the following:
       ``(7) the term `routine use' means, with respect to the 
     disclosure of a record, the use of such record for a purpose 
     which, as determined by the agency, is compatible with the 
     purpose for which it was collected and is appropriate and 
     reasonably necessary for the efficient and effective conduct 
     of Government;''.
       (4) in paragraph (8)(A)(i)--
       (A) by striking ``two or more automated systems of records 
     or a system of records with non-Federal records'' and 
     inserting ``data from a system of records'';
       (B) in subclause (I), by inserting ``or State'' after 
     ``Federal''; and
       (C) in subclause (II), by inserting ``or State'' after 
     ``Federal''.
       (b) Conditions of Disclosure.--Section 552a(b) of title 5, 
     United States Code, is amended--
       (1) in paragraph (1), by inserting ``that is consistent 
     with, and related to, any purpose described under subsection 
     (e)(2)(D) of this section'' before the semicolon;
       (2) in paragraph (3), by striking ``(e)(4)(D)'' and 
     inserting ``(e)(2)(D)(iv) or subsection (v)'';
       (3) in paragraph (6), by inserting ``or for records 
     management inspections authorized by statute'' before the 
     semicolon;
       (4) in paragraph (7), by inserting ``, notwithstanding any 
     requirements of a routine use as defined under subsection 
     (a)(7),'' before ``to another agency'';
       (5) in paragraph 8, by striking ``upon such disclosure 
     notification is transmitted to the last known address of such 
     individual'' and inserting ``a reasonable attempt to notify 
     the individual is made promptly after the disclosure''; and
       (6) by striking paragraph (9) and inserting the following:
       ``(9)(A) to either House of Congress;
       ``(B) to the extent of matter within its jurisdiction, any 
     committee or subcommittee thereof, any joint committee of 
     Congress or subcommittee of any such joint committee; or
       ``(C) to the office of a Member of Congress when that 
     office is requesting records about a specific individual on 
     behalf of that individual in response to a written request 
     for assistance by that individual;''.
       (c) Accounting of Certain Disclosures.--Section 552a(c) of 
     title 5, United States Code, is amended by inserting 
     ``whether in an electronic or other format'' after ``system 
     of records under its control''.
       (d) Agency Requirements.--Section 552a of title 5, United 
     States Code, is amended by striking subsection (e) and 
     inserting the following:
       ``(e) Agency Requirements.--
       ``(1) Authorized purpose.--No agency shall use a record 
     except for an authorized purpose and as maintained in a 
     system of records under this section.
       ``(2) Requirements.--Each agency shall--
       ``(A) maintain in its records only such information about 
     an individual as is relevant and necessary to accomplish any 
     specified purpose of the agency required to be accomplished 
     by statute or by executive order of the President, and only 
     retain such information as long as is necessary to fulfill 
     that purpose or as otherwise required by law;
       ``(B) collect information to the greatest extent 
     practicable directly from the subject individual when the 
     information may result in adverse determinations about an 
     individual's rights, benefits, and privileges;
       ``(C) inform each individual whom it asks to supply 
     information creating a record, at the time the information is 
     requested--
       ``(i) the authority (whether granted by statute or by 
     executive order of the President) which authorizes the 
     solicitation of the information and whether disclosure of 
     such information is voluntary or required to receive a right, 
     benefit, or privilege;
       ``(ii) the principal purpose or purposes for which the 
     information is intended to be used;
       ``(iii) the routine uses which may be made of the 
     information, as published under subparagraph (D)(iv);
       ``(iv) any effects on that individual of not providing all 
     or any part of the requested information;
       ``(v) the procedures and contact information for accessing 
     or correcting such information; and
       ``(vi) a reference to learning how such information will be 
     used or disclosed, including the simplest access to the 
     current system of records notice;
       ``(D) subject to the provisions of subparagraph (K), 
     publish in the Federal Register, make broadly accessible to 
     the public through a centralized website maintained by the 
     Office of Management and Budget, and link to such centralized 
     website from each agency's website, upon establishment or 
     revision a notice of the existence and character of the 
     system of records, which notice shall include--
       ``(i) the name and location of the system;
       ``(ii) the categories of individuals on whom records are 
     maintained in the system;
       ``(iii) the categories of records maintained in the system;
       ``(iv) any purpose for which the information is intended to 
     be used, including each routine use;
       ``(v) the legal authority for any purpose for which the 
     information is utilized granted by statute, executive order, 
     or other authorization;
       ``(vi) the policies and practices of the agency regarding 
     storage, retrievability, access controls, retention, and 
     disposal of the records;
       ``(vii) the title and business address of the agency 
     official who is responsible for the system of records;
       ``(viii) the agency procedures whereby an individual can be 
     notified at his request if the system of records contains a 
     record pertaining to him, how he can gain access to such a 
     record, or contest its content; and
       ``(ix) the sources of records in the system;
       ``(E) to the greatest extent practicable, ensure that all 
     records, including records from a third party source, which 
     are used by the agency in making any determination about an 
     individual are of such accuracy, relevance, timeliness, and 
     completeness as is reasonably necessary to assure fairness to 
     the individual in the determination, and upon request of the 
     individual, provide documentation of the same;
       ``(F) prior to disseminating any record about an individual 
     to any person other than an agency, unless the dissemination 
     is made pursuant to subsection (b)(2) of this section, make 
     reasonable efforts to assure that such records are accurate, 
     complete, timely, and relevant for agency purposes;
       ``(G) maintain no record describing how any individual 
     exercises rights guaranteed by the First Amendment unless 
     expressly authorized by statute or by the individual about 
     whom the record is maintained or unless pertinent to, and 
     within the scope of, an authorized law enforcement activity;
       ``(H) make reasonable efforts to notify an individual as 
     promptly as practicable after the agency receives compulsory 
     legal process for any record on the individual, unless that 
     notification is prohibited by law or court order;
       ``(I) establish rules of conduct for persons involved in 
     the design, development, operation, or maintenance of any 
     system of records, or in maintaining any record, and instruct 
     each such person with respect to such rules and the 
     requirements of this section, including any other rules and 
     procedures adopted pursuant to this section and the penalties 
     for noncompliance;
       ``(J) establish appropriate administrative, technical, and 
     physical safeguards to insure the security and 
     confidentiality of records and to protect against any 
     anticipated threats or hazards to their security or integrity 
     which could result in substantial harm, embarrassment, 
     inconvenience, or unfairness to any individual on whom 
     information is maintained;
       ``(K) in regards to the establishment or revision of a 
     system of records under subparagraph (D)--
       ``(i) at least 30 days prior to creation or modification of 
     a system of records, publish the entire text of the proposed 
     system of records notice in the Federal Register and on the 
     centralized website established under subparagraph (D);
       ``(ii) provide an opportunity for interested persons to 
     submit written or electronic data, views, or arguments to the 
     agency regarding the proposed system of records notice;
       ``(iii) within 180 days after publication of a proposed 
     system of records notice, publish on the centralized website 
     established under subparagraph (D), a response to the 
     comments received, along with notice of whether the system of 
     records notice as published has taken effect; and
       ``(iv) provide a link to the centralized website from the 
     website of the agency,
     unless the Director of the Office of Management and Budget, 
     through the Federal Chief Privacy Officer grants an 
     exception, and that exception is published promptly in the 
     Federal Register and on the centralized website established 
     under subparagraph (D), including a link from the agency's 
     website;
       ``(L) if such agency is a recipient agency or a source 
     agency in a matching program with a non-Federal agency, with 
     respect to any establishment or revision of a matching 
     program, at least 30 days prior to conducting such program, 
     publish in the Federal Register notice of such establishment 
     or revision;
       ``(M) shall--
       ``(i) maintain an inventory on the number and scope of the 
     systems of records of that agency in a manner that clearly 
     and fairly describes activities of the agency to individuals; 
     and
       ``(ii) ensure that the inventory--

[[Page S6670]]

       ``(I) is annually updated and published in the Federal 
     Register, on the website established under subparagraph (D), 
     and on the agency's website; and
       ``(II) does not contain any information that would be 
     exempted from disclosure under this section or section 522 of 
     this title; and

       ``(N) make reasonable efforts to limit disclosure from a 
     system of records to minimum information necessary to 
     accomplish the purpose of the disclosure.''.
       (e) Agency Rules.--Section 552a(f) of title 5, United 
     States Code, is amended in the last sentence--
       (1) by striking ``biennially'' and inserting ``annually'';
       (2) by striking ``subsection (e)(4)'' and inserting 
     ``subsection (e)(2)(D)(iv)''; and
       (3) by striking ``at low cost'' and inserting 
     ``electronically, or at low cost physically''.
       (f) Civil Remedies.--Section 552a(g)(4) is amended--
       (1) by inserting ``and in which the complainant has 
     substantially prevailed'' after ``the agency acted in a 
     manner which was intentional or willful''; and
       (2) in subparagraph (A), by striking ``, but in no case 
     shall a person entitled to recovery receive less than the sum 
     of $1,000'' and inserting ``or the sum of $1,000, whichever 
     is greater, except that in a class action the minimum for 
     each individual shall be reduced as necessary to ensure that 
     the total recovery in any class action or series of class 
     actions arising out of the same refusal or failure to comply 
     by the same agency shall not be greater than $10,000,000''.
       (g) Criminal Penalties.--Section 552a(i) of title 5, United 
     States Code, is amended--
       (1) in paragraph (1)--
       (A) by inserting ``(A)'' before ``Any officer or 
     employee''; and
       (B) by adding at the end the following:
       ``(B) A person who commits the offense described under 
     subparagraph (A) with the intent to sell, transfer, or use an 
     agency record for commercial advantage, personal gain, or 
     malicious harm shall be fined not more than $250,000, 
     imprisoned for not more than 10 years, or both.''; and
       (2) in paragraph (3), by striking ``misdemeanor and fined 
     not more than $5,000'' and inserting ``felony and fined not 
     more than $100,000, imprisoned for not more than 5 years, or 
     both''.
       (h) General Exemptions.--Section 552a(j) of title 5, United 
     States Code, is amended by striking ``The head of any 
     agency'' and inserting ``Notwithstanding any requirements of 
     a routine use as defined under subsection (a)(7), the head of 
     any agency''.
       (i) Specific Exemptions.--Section 552a(k) of title 5, 
     United States Code, is amended by striking ``The head of any 
     agency'' and inserting ``Notwithstanding any requirements of 
     a routine use as defined under subsection (a)(7), the head of 
     any agency''.
       (j) Archival Records.--Section 552a(l) of title 5, United 
     States Code, is amended in paragraphs (2) and (3) by striking 
     ``National Archives of the United States'' each place that 
     term appears and inserting ``National Archives and Records 
     Administration''.
       (k) Government Contractors.--Section 552(m)(1) of title 5, 
     United States Code, is amended by striking ``for the 
     operation by or on behalf of the agency of a system of 
     records to accomplish an agency function'' and inserting ``or 
     other agreement, including with another agency, for the 
     maintenance of a system of records to accomplish an agency 
     function on behalf of the agency''.
       (l) Office of Management and Budget Responsibilities.--
     Section 552a(v) of title 5, United States Code, is amended--
       (1) in paragraph (1), by striking ``and'' after the 
     semicolon;
       (2) in paragraph (2), by striking the period and inserting 
     ``; and''; and
       (3) by adding at the end the following:
       ``(3) establish and update a list of recommended standard 
     routine uses.''.

     SEC. 3. AMENDMENTS TO THE E-GOVERNMENT ACT OF 2002.

       Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 
     note; Public Law 107-347) is amended--
       (1) in subsection (b)--
       (A) in paragraph (1)(A)--
       (i) by striking clause (i) and inserting the following:
       ``(i) developing, procuring, or otherwise making use of 
     information technology that collects, maintains, or 
     disseminates personally identifiable information; or'';
       (ii) in clause (ii)(II)--

       (I) by striking ``information in an identifiable form'' and 
     inserting ``personally identifiable information''; and
       (II) by striking ``, other than agencies, 
     instrumentalities, or employees of the Federal Government.'' 
     and inserting ``; and''; and

       (iii) by adding at the end the following:
       ``(iii) using personally identifiable information 
     purchased, or subscribed to for a fee, from a commercial data 
     source.''; and
       (B) in paragraph (2)(B)--
       (i) in clause (i), by striking ``information that is in an 
     identifiable form'' and inserting ``personally identifiable 
     information''; and
       (ii) in clause (ii)--

       (I) in subclause (VI), by striking ``and'' at the end;
       (II) in subclause (VII), by striking the period and 
     inserting ``; and''; and
       (III) by adding at the end the following:
       ``(VIII) to what extent risks to privacy protection are 
     created by the use of the information and what steps have 
     been taken to mitigate such risks.''; and

       (2) by striking subsection (d) and inserting the following:
       ``(d) Definition.--In this section, the term `personally 
     identifiable information' means any information about an 
     individual maintained by an agency, including--
       ``(1) any information that can be used to distinguish or 
     trace an individual's identity, such as name, social security 
     number, date and place of birth, mother's maiden name, or 
     biometric records; or
       ``(2) any other information that is linked or linkable to 
     an individual, such as medical, educational, financial, and 
     employment information.''.

     SEC. 4. AMENDMENTS TO CHAPTERS 35 AND 36 OF TITLE 44, UNITED 
                   STATES CODE.

       (a) Office of Management and Budget.--Section 3504 of title 
     44, United States Code, is amended--
       (1) in subsection (a)(1)(A)--
       (A) in clause (iv), by inserting ``and'' after the 
     semicolon;
       (B) by striking clause (v); and
       (C) by redesignating clause (vi) as clause (v);
       (2) by striking subsection (g); and
       (3) by redesignating subsection (h) as subsection (g).
       (b) Federal Information Privacy Policy.--
       (1) In general.--Chapter 35 of title 44, United States 
     Code, is amended by adding at the end the following:

          ``SUBCHAPTER IV--FEDERAL INFORMATION PRIVACY POLICY

     ``Sec. 3561. Purposes

       ``The purposes of this subchapter are to--
       ``(1) ensure the consistent application of privacy 
     protections to personally identifiable information collected, 
     maintained, and used by all agencies;
       ``(2) strengthen the responsibility and accountability of 
     the Office of Management and Budget for overseeing privacy 
     protection in agencies;
       ``(3) improve agency responses to privacy breaches to 
     better inform and protect the public from the misuse of 
     personally identifiable information;
       ``(4) strengthen the responsibility and accountability of 
     agency officials for ensuring effective implementation of 
     privacy protection requirements; and
       ``(5) ensure that agency use of commercial sources of 
     information and information system services provides adequate 
     information security and privacy protections.

     ``Sec. 3562. Definitions

       ``(a) In General.--Except as provided under subsection (b), 
     the definitions under section 3502 shall apply to this 
     subchapter.
       ``(b) Additional Definitions.--In this subchapter--
       ``(1) the term `Council' means the Chief Privacy Officers 
     Council established under section 3567;
       ``(2) the term `personally identifiable information' means 
     any information about an individual maintained by an agency, 
     including--
       ``(A) any information that can be used to distinguish or 
     trace an individual's identity, such as name, social security 
     number, date and place of birth, mother's maiden name, or 
     biometric records; and
       ``(B) any other information that is linked or linkable to 
     an individual, such as medical, educational, financial, and 
     employment information; and
       ``(3) the term `data broker' means a person or entity that 
     for a fee regularly engages in the practice of collecting, 
     transmitting, or providing access to personally identifiable 
     information concerning more than 5,000 individuals who are 
     not the customers or employees of that person or entity (or 
     an affiliated entity) primarily for the purposes of providing 
     such information to non-affiliated third parties on an 
     interstate basis.

     ``Sec. 3563. Authority and functions of the Director

       ``(a) In fulfilling the responsibility to administer the 
     functions assigned under subchapter I, the Director of the 
     Office of Management and Budget shall comply with this 
     subchapter with respect to the specific matters covered by 
     this subchapter.
       ``(b) The Director shall oversee agency privacy protection 
     policies and practices, including by--
       ``(1) developing and overseeing the implementation of 
     policies, principles, standards, and guidelines on privacy 
     protection;
       ``(2) providing direction and overseeing privacy, 
     confidentiality, security, disclosure, and sharing of 
     information;
       ``(3) overseeing agency compliance with laws relating to 
     privacy protection, including the requirements of this 
     subchapter, section 552a of title 5 (commonly referred to as 
     the Privacy Act), and section 208 of the E-Government Act of 
     2002;
       ``(4) coordinating privacy protection policies and 
     procedures with related information resources management 
     policies and procedures, including through ensuring that 
     privacy protection considerations are taken into account in 
     managing the collection of information and the control of 
     paperwork as provided under subchapter I; and
       ``(5) appointing a Federal Chief Privacy Officer under 
     section 3564.

     ``Sec. 3564. Specific responsibilities of the Federal Chief 
       Privacy Officer

       ``(a) Federal Chief Privacy Officer.--
       ``(1) Definitions.--In this section--
       ``(A) the term `Senior Executive Service position' has the 
     meaning given under section 3132(a)(2) of title 5; and

[[Page S6671]]

       ``(B) the term `noncareer appointee' has the meaning given 
     under section 3132(a)(7) of title 5;
       ``(2) Establishment.--There is established the position of 
     the Federal Chief Privacy Officer within the Office of 
     Management and Budget. The position shall be a Senior 
     Executive Service position. The Director shall appoint a 
     noncareer appointee to the position. The primary 
     responsibilities of the position shall be the 
     responsibilities under subsection (b).
       ``(3) Qualifications.--The individual appointed to be the 
     Federal Chief Privacy Officer shall posses demonstrated 
     expertise in privacy protection policy and Government 
     information.
       ``(b) Responsibilities.--The Federal Chief Privacy Officer 
     shall--
       ``(1) carry out the responsibilities of the Director under 
     this subchapter;
       ``(2) provide overall direction, consistent with the Office 
     of Management and Budget guidance, section 552a of title 5 
     (commonly referred to as the Privacy Act), and section 208 of 
     the E-Government Act of 2002, of privacy policy governing the 
     Federal Government's collection, use, sharing, disclosure, 
     transfer, storage, security, and disposition of personally 
     identifiable information;
       ``(3) to the extent that the Federal Chief Privacy Officer 
     considers appropriate, establish procedures to review and 
     approve privacy documentation before public dissemination;
       ``(4) serve as the principal advisor for Federal privacy 
     policy matters to the Executive Office of the President, 
     including the President, the Director, the National Security 
     Council, the Homeland Security Council, and the Office of 
     Science and Technology Policy;
       ``(5) coordinate with the Privacy and Civil Liberties 
     Oversight Board established under section 1061 of the 
     Intelligence Reform and Terrorism Prevention Act of 2004 (5 
     U.S.C. 601 note); and
       ``(6) every 2 years submit a report to Congress on the 
     protection of privacy by the United States Government, 
     including the status of implementation of requirements under 
     this subchapter and other privacy related laws and policies.

     ``Sec. 3565. Privacy breach requirements

       ``The Director shall establish and oversee policies and 
     procedures for agencies to follow in the event of a breach of 
     information security involving the disclosure of personally 
     identifiable information and for which harm to an individual 
     could reasonably be expected to result, including--
       ``(1) a requirement for timely notice to be provided to 
     those individuals whose personally identifiable information 
     could be compromised as a result of such breach, except no 
     notice shall be required if the breach does not create a 
     reasonable risk of identity theft, fraud, or other unlawful 
     conduct regarding such individual;
       ``(2) guidance on determining how timely notice is to be 
     provided;
       ``(3) guidance regarding whether additional actions are 
     necessary and appropriate, including data breach analysis, 
     fraud resolution services, identity theft insurance, and 
     credit protection or monitoring services; and
       ``(4) requirements for timely reporting by the agencies of 
     such breaches to the director and the Federal information 
     security incident center referred to in section 3546.

     ``Sec. 3566. Agency responsibilities

       ``(a) In General.--In addition to requirements under 
     section 1062 of the National Security Intelligence Reform Act 
     of 2004, and in fulfilling the responsibilities under section 
     3506(g), the head of each agency shall ensure compliance with 
     laws relating to privacy protection, including the 
     requirements of this subchapter, section 552a of title 5 
     (commonly referred to as the Privacy Act), and section 208 of 
     the E-Government Act of 2002.
       ``(b) Chief Privacy Officers.--In the case of an agency 
     that has not designated a Chief Privacy Officer under section 
     522 of the Transportation, Treasury, Independent Agencies and 
     General Government Appropriations Act, 2005 (42 U.S.C. 
     2000ee-2), the head of each agency shall--
       ``(1) designate a senior official to be the chief privacy 
     officer of that agency; and
       ``(2) provide to the chief privacy officer such information 
     as the officer considers necessary.
       ``(c) Responsibilities of Agency Chief Privacy Officer.--
     Each chief privacy officer shall have primary responsibility 
     for assuring the adequacy of privacy protections for 
     personally identifiable information collected, used, or 
     disclosed by the agency, including--
       ``(1) ensuring that the use of technologies sustain, and do 
     not erode, privacy protections relating to the use, 
     collection, and disclosure of personal information, including 
     through the conduct of privacy impact assessments as provided 
     by section 208 of the E-Government Act of 2002;
       ``(2) ensuring that personal information is handled in full 
     compliance with fair information practices under section 552a 
     of title 5 (commonly referred to as the Privacy Act) and 
     other applicable laws and policies;
       ``(3) evaluating legislative and regulatory proposals 
     involving collection, use, and disclosure of personally 
     identifiable information;
       ``(4) coordinating with the chief information officer to 
     ensure that privacy is adequately addressed in the agency 
     information security program, established under section 3544;
       ``(5) coordinating with other senior officials to ensure 
     programs, policies, and procedures involving civil rights, 
     civil liberties, and privacy considerations addressed in an 
     integrated and comprehensive manner; and
       ``(6) reporting periodically to the head of the agency on 
     agency privacy protection activities.

     ``Sec. 3567. Chief Privacy Officers Council

       ``(a) Establishment.--There is established in the executive 
     branch a Chief Privacy Officers Council.
       ``(b) Membership.--
       ``(1) In general.--The members of the Council shall be as 
     follows:
       ``(A) The Federal Chief Privacy Officer, who shall serve as 
     chairperson of the Council.
       ``(B) Chief Privacy Officers established under section 522 
     of division H of the Consolidated Appropriations Act, 2005 
     (42 U.S.C. 2000 ee-2; Public Law 108-447).
       ``(C) The chairperson of the Privacy and Civil Liberties 
     Oversight Board.
       ``(D) As designated by the chairperson of the Council, any 
     senior agency official designated to be a chief privacy 
     officer under section 3566.
       ``(E) The Administrator of the Office of Electronic 
     Government, as an ex-officio member.
       ``(F) The Administrator of the Office of Information and 
     Regulatory Affairs, as an ex-officio member.
       ``(G) Any other officer or employee of the United States 
     designated by the chairperson.
       ``(2) Ex-officio members.--An ex-officio member may not 
     vote in Council proceedings.
       ``(c) Administrative Support.--The Administrator of the 
     General Services shall provide administrative and other 
     support for the Council.
       ``(d) Functions.--The Council shall--
       ``(1) be an interagency forum for establishing best 
     practices for agency privacy policy;
       ``(2) share, and promote the development of, best practices 
     to assure that the use of technologies sustains, and does not 
     erode, privacy protections relating to the use, collection, 
     and disclosure of personal information; assure that personal 
     information contained in systems of records are handled in 
     full compliance with fair information practices; and evaluate 
     legislative and regulatory proposals involving collection, 
     use, and disclosure of personal information by the Federal 
     Government; and
       ``(3) submit proposed improvements to privacy practices to 
     the Director.''.
       (2) Technical and conforming amendment.--The table of 
     sections for chapter 35 of title 44, United States Code, is 
     amended by adding at the end the following:

           ``subchapter iv--federal information privacy policy

``Sec.
``3561. Purposes.
``3562. Definitions.
``3563. Authority and functions of the Director.
``3564. Specific responsibilities of the Chief Privacy Officer.
``3565. Privacy breach requirements.
``3566. Agency responsibilities.
``3567. Chief Privacy Officers Council.''.
       (c) Electronic Government.--Section 3602(d) of title 44, 
     United States Code, is amended by inserting ``and the Federal 
     Chief Privacy Officer'' after ``Information and Regulatory 
     Affairs''.

     SEC. 5. AMENDMENTS TO SECTION 1062 OF THE NATIONAL 
                   INTELLIGENCE REFORM ACT OF 2004.

       Section 1062 of the National Intelligence Reform Act of 
     2004 (42 U.S.C. 2000ee-1) is amended--
       (1) by redesignating subsection (d) through (h) as 
     subsections (e) through (i); and
       (2) by striking subsection (c) and inserting the following:
       ``(c) Authority To Investigate.--
       ``(1) In general.--Each privacy officer or civil liberties 
     officer described under subsection (a) or (b) may--
       ``(A) have access to all records, reports, audits, reviews, 
     documents, papers, recommendations, and other materials 
     available to the Department, agency, or element of the 
     executive branch that relate to programs and operations with 
     respect to the responsibilities of the senior official under 
     this section;
       ``(B) make such investigations and reports relating to the 
     administration of the programs and operations of the 
     Department, agency, or element of the executive branch as 
     are, in the senior official's judgment, necessary or 
     desirable;
       ``(C) subject to the approval of the Secretary or head of 
     the agency or element of the executive branch, require by 
     subpoena the production, by any person other than a Federal 
     agency, of all information, documents, reports, answers, 
     records, accounts, papers, and other data and documentary 
     evidence necessary to performance of the responsibilities of 
     the senior official under this section; and
       ``(D) administer to or take from any person an oath, 
     affirmation, or affidavit, whenever necessary to performance 
     of the responsibilities of the senior official under this 
     section.
       ``(2) Enforcement of subpoenas.--Any subpoena issued under 
     paragraph (1)(C) shall, in the case of contumacy or refusal 
     to obey, be enforceable by order of any appropriate United 
     States district court.
       ``(3) Effect of oaths.--Any oath, affirmation, or affidavit 
     administered or taken

[[Page S6672]]

     under paragraph (1)(D) by or before an employee of the 
     Privacy Office designated for that purpose by the senior 
     official appointed under subsection (a) shall have the same 
     force and effect as if administered or taken by or before an 
     officer having a seal of office.
       ``(d) Supervision and Coordination.--
       ``(1) In general.--Each privacy officer or civil liberties 
     officer described under subsection (a) or (b) shall--
       ``(A) report to, and be under the general supervision of, 
     the Secretary; and
       ``(B) coordinate activities with the Inspector General of 
     the Department in order to avoid duplication of effort.
       ``(2) Coordination with the inspector general.--
       ``(A) In general.--Except as provided in subparagraph (B), 
     the senior official appointed under subsection (a) may 
     investigate any matter relating to possible violations or 
     abuse concerning the administration of any program or 
     operation of the Department, agency, or element of the 
     executive branch relevant to the purposes under this section.
       ``(B) Coordination.--
       ``(i) Referral.--Before initiating any investigation 
     described under subparagraph (A), the senior official shall 
     refer the matter and all related complaints, allegations, and 
     information to the Inspector General of the Department, 
     agency, or element of the executive branch.
       ``(ii) Determinations and notifications by the inspector 
     general.--Not later than 30 days after the receipt of a 
     matter referred under clause (i), the Inspector General 
     shall--

       ``(I) make a determination regarding whether the Inspector 
     General intends to initiate an audit or investigation of the 
     matter referred under clause (i); and
       ``(II) notify the senior official of that determination.''.

                          ____________________