Requires each agency to conduct and record with its Inspector General a benchmark assessment of privacy and data protection policies and practices for the collection, use, sharing, disclosure, transfer, and security of personally identifiable information relating to employees and the public.
Requires each agency to perform an independent, third-party review of privacy and data protection practices every three years to: (1) determine the effectiveness of policies, practices, and procedures; and (2) ensure compliance with its stated privacy policy.
Requires each Inspector General to: (1) contract with an independent, third party to evaluate privacy and data protection policies and recommend strategies and steps to improve privacy and data protection management; and (2) report to the head of the agency on such review.
Requires agencies to make such assessments, reviews, and Inspector General reports available to the public on their websites.
[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 2629 Introduced in Senate (IS)]
107th CONGRESS
2d Session
S. 2629
To provide for an agency assessment, independent review, and Inspector
General report on privacy and data protection policies of Federal
agencies, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 17, 2002
Mr. Daschle (for Mr. Torricelli) introduced the following bill; which
was read twice and referred to the Committee on Governmental Affairs
_______________________________________________________________________
A BILL
To provide for an agency assessment, independent review, and Inspector
General report on privacy and data protection policies of Federal
agencies, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. PRIVACY AND DATA PROTECTION POLICIES OF FEDERAL AGENCIES.
(a) Short Title.--This Act may be cited as the ``Federal Privacy
and Data Protection Policy Act of 2002''.
(b) Definitions.--In this Act, the term ``agency'' has the meaning
given that term under section 551(1) of title 5, United States Code.
(c) Findings.--Congress finds that--
(1) in the wake of the attacks on the United States on
September 11, 2001, Federal agencies are collecting an
increasing amount of personal information from and on
individuals as part of the expanded war on terrorism;
(2) the worthwhile goals of those data collection
initiatives are to help ensure homeland security and protect
the people of the United States from future acts of terrorism;
(3) protecting homeland security and fighting terrorism
requires not only seeking to protect lives and property in the
United States, but also ensuring that individual rights and
essential liberties are safeguarded;
(4) in order to achieve these goals, it is essential that
agencies properly manage, maintain, and secure personal
information on people in the United States from inappropriate
use, disclosure, or dissemination to third parties;
(5) because of the leading role of the Federal Government
in the expanded war on terrorism, the Federal Government should
serve as a role model for State and local government, and the
private sector, by establishing effective safeguards and
procedures to protect personal data of people in the United
States;
(6) in order to ensure that people in the United States
understand and have confidence in the proper use and safety of
personal information, it is essential for agencies to implement
effective privacy policies and procedures and to state those
privacy policies, both online and offline; and
(7) an essential part of ensuring that the people in the
United States have full confidence in the privacy and security
of personal information is to--
(A) have agencies confirm adherence by those
agencies to the stated policies; and
(B) have independent, third party review, and
confirmation of adherence.
(d) Purpose.--The purpose of this Act is to provide a framework for
ensuring effective data and privacy management by Federal agencies to--
(1) ensure public confidence and trust in how agencies
collect, maintain, and use personal information;
(2) ensure continued adherence to data protection and
privacy policies and procedures;
(3) ensure that individual rights and essential liberties
are protected; and
(4) provide for effective oversight of the collection and
use of individual information.
(e) Privacy Manager.--
(1) In general.--Each agency shall designate an employee of
that agency as the agency privacy manager to--
(A) be responsible for effective data protection
and management within that agency; and
(B) ensure compliance with the privacy and data
security policies.
(2) Additional responsibilities.--Each privacy manager
shall be responsible for--
(A) training and education for employees to promote
awareness of and compliance with the privacy and data
security policies; and
(B) developing recommended practices and procedures
to ensure compliance with the privacy and data security
policies.
(f) Benchmark Assessment.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, each agency shall conduct a detailed
benchmark assessment of the privacy and data protection
policies and practices of that agency with regard to the
collection, use, sharing, disclosure, transfer, and security of
personally identifiable information relating to the agency
employees and the public. Such practices shall be accurately
and clearly stated in written policies governing the data
collection and use practices of the agency, both online and
offline.
(2) Content.--At a minimum, each benchmark assessment shall
determine and state--
(A) the personally identifiable information the
agency collects on--
(i) employees of the agency; and
(ii) members of the public;
(B) any purpose for which the personally
identifiable information is collected;
(C) any notice given to individuals regarding the
collection and use of personal information, relating to
that individual;
(D) any access given to individuals to review,
amend, correct, supplement, or delete personal
information relating to that individual;
(E) whether or not consent is obtained from an
individual before personally identifiable information
is collected, used, transferred, or disclosed and any
method used to obtain consent;
(F) the policies and practices of the agency for
the security of personally identifiable information;
(G) the policies and practices of the agency for
the proper use of personally identifiable information;
(H) the training and education procedures of the
agency to adequately train personnel on agency policies
and procedures for privacy and data protection;
(I) the policies and procedures of the agency for
monitoring and reporting violations of privacy and data
protection policies; and
(J) the policies and procedures of the agency for
assessing the impact of technologies on the stated
privacy and security policies.
(g) Recording.--A written report of each benchmark assessment shall
be prepared and recorded with the Inspector General of the agency to
serve as a benchmark for the data protection and privacy practices and
policies of the agency. Each benchmark assessment shall be signed by
the agency privacy manager, verifying that the agency is in good faith
compliance with the policies and practices stated in the benchmark
assessment.
(h) Independent, Third-Party Review.--
(1) In general.--At least every 3 years, each agency shall
have performed an independent, third-party review of the
privacy and data protection practices of the agency to--
(A) determine the effectiveness of the privacy and
data protection policies, practices, and procedures;
and
(B) ensure compliance with the stated privacy
policy of the agency.
(2) Purposes.--The purposes of reviews under this
subsection are to--
(A) measure privacy and data protection practices
against the original benchmark assessment of the
agency;
(B) ensure compliance and consistency with both
online and offline stated privacy policies; and
(C) provide agencies with ongoing awareness and
recommendations regarding privacy and data protection
practices.
(3) Requirements of review.--The Inspector General of each
agency shall contract with an independent, third party that is
a recognized leader in privacy consulting, privacy technology,
and data collection and use management to--
(A) evaluate the privacy and data protection
practices of the agency; and
(B) recommend strategies and specific steps to
improve privacy and data protection management.
(4) Content.--Each review under this subsection shall
include--
(A) a review of the original benchmark assessment
concerning the privacy and data protection practices of
the agency with regard to the collection, use, sharing,
disclosure, transfer, and security of personally
identifiable information relating to agency employees
and the public;
(B) a detailed review of the current offline
privacy and data protection practices of the agency
with regard to the collection, use, sharing,
disclosure, transfer, and security of personally
identifiable information of the employees of the agency
and the public to check for compliance with the
original benchmark assessment, especially concerning
whether those practices are accurately reflected in the
written policies of the agency; and
(C) a detailed electronic scan of any website of
the agency with a technology product that alerts an
agency to the privacy vulnerabilities on that web page,
including--
(i) possible noncompliance with the
benchmark assessment;
(ii) whether the privacy and data
protection practices of the agency comply to
the written privacy policy of the agency; and
(iii) whether there are any risks for
inadvertent release of personally identifiable
information from the website of the agency.
(5) Restrictions to avoid conflict of interest.--An
independent contractor that has substantial business with an
agency may not perform a review under this subsection for that
agency.
(6) Report.--Upon completion of a review, the Inspector
General of an agency shall submit to the head of that agency a
detailed report on the review, including recommendations for
improvements or enhancements to privacy and data protection
practices of the agency.
(i) Internet Availability.--Each agency shall make each agency
benchmark assessment, each independent third party review, and each
report of the Inspector General relating to that review available to
the public on the website of the agency.
<all>
Introduced in Senate
Read twice and referred to the Committee on Governmental Affairs.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line