Federal Agency Data Privacy Protection Act - Sets forth requirements: (1) for the use of encryption for sensitive data maintained by the federal government; (2) relating to access by agency personnel to sensitive data; and (3) relating to government contractors and their employees involving sensitive data.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5820 Introduced in House (IH)]
109th CONGRESS
2d Session
H. R. 5820
To increase the security of sensitive data maintained by the Federal
Government.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
July 17, 2006
Mr. Sweeney introduced the following bill; which was referred to the
Committee on Government Reform
_______________________________________________________________________
A BILL
To increase the security of sensitive data maintained by the Federal
Government.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Agency Data Privacy
Protection Act''.
SEC. 2. DEFINITION OF SENSITIVE DATA.
In this Act--
(1) Sensitive data.--The term ``sensitive data'' includes
the following:
(A) Social security numbers.
(B) Financial records.
(C) Previous or current health records, including
hospital or treatment records of any kind, including
drug and alcohol rehabilitation records.
(D) Criminal records.
(E) Licenses.
(F) License denials, suspensions, or revocations.
(G) Tax returns.
(H) Information that has been specifically
authorized under criteria established by an Executive
order or an Act of Congress to be kept classified in
the interest of national defense or foreign policy.
(I) Personally identifiable information.
(2) Personally identifiable information.--The term
``personally identifiable information'' means any information,
in any form or medium, that relates to the past, present, or
future physical or mental health, predisposition, or condition
of an individual or the provision of health care to an
individual.
(3) Federal computer system.--The term ``Federal computer
system'' has the meaning given such term in section 20(d) of
the National Institute of Standards and Technology Act (15
U.S.C. 278g-3(d)).
(4) Agency.--The term ``agency'' has the meaning provided
in section 3502(1) of title 44, United States Code.
(5) Record.--The term ``record'' has the meaning provided
in section 552a(a) of title 5, United States Code.
SEC. 3. REQUIREMENT FOR USE OF ENCRYPTION FOR SENSITIVE DATA.
(a) Requirement for Encryption.--
(1) In general.--All sensitive data maintained by the
Federal Government, including such data maintained in Federal
computer systems, shall be secured by the use of the most
secure encryption standard recognized by the National Institute
of Standards and Technology.
(2) Updating required every 6 months.--Any sequence of
characters (known as an encryption key) used to secure an
encryption standard used on Federal computer systems shall be
changed every 6 months, at a minimum, to provide additional
security.
(3) Implementation.--The requirements of this subsection
shall be implemented not later than 6 months after the date of
the enactment of this Act.
(b) Federal Agency Responsibilities.--The head of each agency shall
be responsible for complying with the requirements of subsection (a)
within the agency. Such requirement shall be considered to be a
requirement of subchapter III of chapter 35 of title 44, United States
Code, for purposes of section 3544(a)(1)(B) of such title.
SEC. 4. REQUIREMENTS RELATING TO ACCESS BY AGENCY PERSONNEL TO
SENSITIVE DATA.
(a) On-Site Access.--No employee of the Federal government may have
access to sensitive data on Government property unless the employee has
received a security clearance at the ``secret'' level or higher and has
completed a financial disclosure form, in accordance with applicable
provisions of law and regulation.
(b) Off-Site Access.--
(1) Prohibition.--Sensitive data maintained by an agency
may not be transported or accessed from a location off
Government property unless a request for such transportation or
access is submitted and approved by the Inspector General of
the agency in accordance with paragraph (2).
(2) Procedures.--
(A) Deadline for approval or disapproval.--In the
case of any request submitted under paragraph (1) to an
Inspector General of an agency, the Inspector General
shall approve or disapprove the request within 2
business days after the date of submission of the
request.
(B) Limitation to 10,000 records.--If a request is
approved, the Inspector General shall limit the access
to not more than 10,000 records at a time.
(3) Encryption.--Any technology used to store, transport,
or access sensitive data during for purposes of off-site access
approved under this subsection shall be secured by the use of
the most secure encryption standard recognized by the National
Institute of Standards and Technology.
(c) Implementation.--The requirements of this subsection shall be
implemented not later than 6 months after the date of the enactment of
this Act.
SEC. 5. REQUIREMENTS RELATING TO GOVERNMENT CONTRACTORS INVOLVING
SENSITIVE DATA.
(a) Applicability to Government Contractors.--In entering into any
contract that may involve sensitive data in electronic or digital form
on 10,000 or more United States citizens, an agency shall require the
contractor and employees of the contractor to comply with the
requirements of sections 3 and 4 of this Act in the performance of the
contract, in the same manner as agencies and government employees
comply with such requirements.
(b) Implementation.--The requirements of this subsection shall be
implemented with respect to contracts entered into on or after the date
occurring 6 months after the date of the enactment of this Act.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Government Reform.
Sponsor introductory remarks on measure. (CR H7477)
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line