Printer Friendly
A
A
A
WASHINGTON, D.C. - Today, U.S. Senator Daniel K. Akaka, chairman of the Senate Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, introduced a bill to amend the Privacy Act of 1974 and other privacy related laws to modernize them for the information age.
Senator Akaka's remarks in today's Congressional Record:
"In 1974, Congress enacted the Privacy Act to protect Americans' personal information from improper disclosure by the Federal government. Broadly, the Privacy Act requires that government agencies allow individuals to see any records an agency keeps on him or her (with some exceptions for security and law enforcement), limits the extent to which the government may share data with and agencies and third parties, allows individuals to access and correct their records, requires agencies to provide notice of what data is collected and how it is used and to keep records of disclosures, and provides individuals the ability to enforce their rights under the Act.
With the expansion of technology and the proliferation of personally identifiable information in the hands of government agencies, the risk of losing, abusing, or misusing information has grown exponentially. In particular, over the last ten years security needs have created pressure on agencies to use existing personal information in new ways, not contemplated when the information was collected. The growth in the business of buying and selling individuals' information also raises new questions about the extent to which the Privacy Act applies to these sources of data on individuals used by the government. Meanwhile, there have been few updates to the Privacy Act, leaving it better suited to file cabinets and clunky 30 year old databases than the modern information technology systems in use at agencies today.
In 2008, the Government Accountability Office (GAO) released a report that I requested entitled, "Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information" (GAO-08-536). GAO later testified about its findings at a Homeland Security and Governmental Affairs Committee hearing where it identified issues in three main areas that could be enhanced: (1) applying privacy protections consistently to all federal collection and use of personal information; (2) ensuring that collection and use of personally identifiable information is limited to a stated purpose; and (3) establishing effective mechanisms for informing the public about privacy protections.
After examining these recommendations and consulting with outside privacy experts, working groups, and privacy and civil liberties advocates, I am introducing the Privacy Act Modernization for the Information Age Act of 2011. This bill addresses the issues raised by GAO, adds stronger privacy leadership at the Office of Management and Budget to ensure effective execution of the Privacy Act, and extends authority for privacy officers to investigate possible violations of privacy laws.
This bill updates the Privacy Act in several ways. It simplifies some of the definitions to apply them to modern information technology management ideas that were in their infancy in 1974. It also tightens requirements for agency controls and maintenance of records to ensure their use is authorized, and that personally identifiable information is not misused.
Agencies would also be more accountable to the public in protecting information. Notifications of systems with personally identifiable information would be more relevant, transparent, and accessible, allowing Americans to know which agencies may have what information about them and in what systems. Importantly, the bill would create a centralized privacy website containing System of Records Notices and other related privacy information.
If civil or criminal violations of the Privacy Act do occur, the penalties have been updated to reflect similar penalties in other laws. The bill would also clarify Congress's intent in the statutory damages provision in the Privacy Act by overturning Doe v. Chao, in which the Supreme Court, I believe wrongly, held that an individual has to show actual damages resulted from an intentional or willful improper disclosure of personal information in order to receive an award.
My bill also builds on important new privacy protections introduced in the E-Government Act of 2002, which established a requirement for a Privacy Impact Assessment on certain new systems developed at agencies that contain personally identifiable information. It also codifies the term "personally identifiable information," which has been defined by the Office of Management and Budget (OMB) for years in conjunction with the Privacy Act. This will let us focus on protecting personally identifiable information rather than defining it.
The Privacy Act Modernization for the Information Age Act of 2011 would expand a successful tool given to the Department of Homeland Security (DHS) Chief Privacy Officer (CPO) to other major agency CPOs. In 2008, I championed the POWER Act, which gave the DHS CPO the authority to investigate possible violations of privacy laws if an Inspector General declines to investigate. I am pleased to say this authority has not been abused, and in fact has been used only once at DHS where its Inspector General inadvertently experienced a minor data breach, and the CPO investigated the issue. This is a useful tool that I believe other privacy offices overseeing massive amounts of personally identifiable information could benefit from.
Finally, my bill would create a strong Federal Chief Privacy Officer (FCPO) at OMB as well as a government-wide Chief Privacy Officers Council, to fill the wide gaps in government-wide privacy leadership and ensure consistent development of policies and guidance on the Privacy Act across agencies. The FCPO position existed under President Clinton, but it has not been replicated by subsequent administrations. I have been impressed with DHS's leadership on privacy issues, thanks to tools we have put into law and the resources we have provided. It is equally important to enhance government-wide leadership through the FCPO and the Chief Privacy Officers Council, which will create a better environment to share ideas across agencies.
This bill would be an important step forward in modernizing how government agencies execute their obligations to protect the personal information provided to them by all Americans. With the proliferation of data about every one of us online, and possibly creeping into government databases, we need more transparency so the average person has a place to go to learn about what information the government is keeping and how they can access that information. I urge my colleagues to support this effort and to continue to work with me and the Homeland Security and Governmental Affairs Committee to produce legislation to improve Federal privacy before this Congress adjourns."
Akaka introduces the Privacy Act Modernization for the Information Age Act
Tue, October 18, 2011
WASHINGTON, D.C. - Today, U.S. Senator Daniel K. Akaka, chairman of the Senate Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, introduced a bill to amend the Privacy Act of 1974 and other privacy related laws to modernize them for the information age.
Senator Akaka's remarks in today's Congressional Record:
"In 1974, Congress enacted the Privacy Act to protect Americans' personal information from improper disclosure by the Federal government. Broadly, the Privacy Act requires that government agencies allow individuals to see any records an agency keeps on him or her (with some exceptions for security and law enforcement), limits the extent to which the government may share data with and agencies and third parties, allows individuals to access and correct their records, requires agencies to provide notice of what data is collected and how it is used and to keep records of disclosures, and provides individuals the ability to enforce their rights under the Act.
With the expansion of technology and the proliferation of personally identifiable information in the hands of government agencies, the risk of losing, abusing, or misusing information has grown exponentially. In particular, over the last ten years security needs have created pressure on agencies to use existing personal information in new ways, not contemplated when the information was collected. The growth in the business of buying and selling individuals' information also raises new questions about the extent to which the Privacy Act applies to these sources of data on individuals used by the government. Meanwhile, there have been few updates to the Privacy Act, leaving it better suited to file cabinets and clunky 30 year old databases than the modern information technology systems in use at agencies today.
In 2008, the Government Accountability Office (GAO) released a report that I requested entitled, "Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information" (GAO-08-536). GAO later testified about its findings at a Homeland Security and Governmental Affairs Committee hearing where it identified issues in three main areas that could be enhanced: (1) applying privacy protections consistently to all federal collection and use of personal information; (2) ensuring that collection and use of personally identifiable information is limited to a stated purpose; and (3) establishing effective mechanisms for informing the public about privacy protections.
After examining these recommendations and consulting with outside privacy experts, working groups, and privacy and civil liberties advocates, I am introducing the Privacy Act Modernization for the Information Age Act of 2011. This bill addresses the issues raised by GAO, adds stronger privacy leadership at the Office of Management and Budget to ensure effective execution of the Privacy Act, and extends authority for privacy officers to investigate possible violations of privacy laws.
This bill updates the Privacy Act in several ways. It simplifies some of the definitions to apply them to modern information technology management ideas that were in their infancy in 1974. It also tightens requirements for agency controls and maintenance of records to ensure their use is authorized, and that personally identifiable information is not misused.
Agencies would also be more accountable to the public in protecting information. Notifications of systems with personally identifiable information would be more relevant, transparent, and accessible, allowing Americans to know which agencies may have what information about them and in what systems. Importantly, the bill would create a centralized privacy website containing System of Records Notices and other related privacy information.
If civil or criminal violations of the Privacy Act do occur, the penalties have been updated to reflect similar penalties in other laws. The bill would also clarify Congress's intent in the statutory damages provision in the Privacy Act by overturning Doe v. Chao, in which the Supreme Court, I believe wrongly, held that an individual has to show actual damages resulted from an intentional or willful improper disclosure of personal information in order to receive an award.
My bill also builds on important new privacy protections introduced in the E-Government Act of 2002, which established a requirement for a Privacy Impact Assessment on certain new systems developed at agencies that contain personally identifiable information. It also codifies the term "personally identifiable information," which has been defined by the Office of Management and Budget (OMB) for years in conjunction with the Privacy Act. This will let us focus on protecting personally identifiable information rather than defining it.
The Privacy Act Modernization for the Information Age Act of 2011 would expand a successful tool given to the Department of Homeland Security (DHS) Chief Privacy Officer (CPO) to other major agency CPOs. In 2008, I championed the POWER Act, which gave the DHS CPO the authority to investigate possible violations of privacy laws if an Inspector General declines to investigate. I am pleased to say this authority has not been abused, and in fact has been used only once at DHS where its Inspector General inadvertently experienced a minor data breach, and the CPO investigated the issue. This is a useful tool that I believe other privacy offices overseeing massive amounts of personally identifiable information could benefit from.
Finally, my bill would create a strong Federal Chief Privacy Officer (FCPO) at OMB as well as a government-wide Chief Privacy Officers Council, to fill the wide gaps in government-wide privacy leadership and ensure consistent development of policies and guidance on the Privacy Act across agencies. The FCPO position existed under President Clinton, but it has not been replicated by subsequent administrations. I have been impressed with DHS's leadership on privacy issues, thanks to tools we have put into law and the resources we have provided. It is equally important to enhance government-wide leadership through the FCPO and the Chief Privacy Officers Council, which will create a better environment to share ideas across agencies.
This bill would be an important step forward in modernizing how government agencies execute their obligations to protect the personal information provided to them by all Americans. With the proliferation of data about every one of us online, and possibly creeping into government databases, we need more transparency so the average person has a place to go to learn about what information the government is keeping and how they can access that information. I urge my colleagues to support this effort and to continue to work with me and the Homeland Security and Governmental Affairs Committee to produce legislation to improve Federal privacy before this Congress adjourns."
-END-
