2010 US Code
Title 42 - THE PUBLIC HEALTH AND WELFARE
CHAPTER 21E - PRIVACY AND CIVIL LIBERTIES PROTECTION AND OVERSIGHT
Sec. 2000ee-2 - Privacy and data protection policies and procedures
View Metadata| Publication Title | United States Code, 2006 Edition, Supplement 4, Title 42 - THE PUBLIC HEALTH AND WELFARE |
| Category | Bills and Statutes |
| Collection | United States Code |
| SuDoc Class Number | Y 1.2/5: |
| Contained Within | Title 42 - THE PUBLIC HEALTH AND WELFARE CHAPTER 21E - PRIVACY AND CIVIL LIBERTIES PROTECTION AND OVERSIGHT Sec. 2000ee-2 - Privacy and data protection policies and procedures |
| Contains | section 2000ee-2 |
| Date | 2010 |
| Laws in Effect as of Date | January 7, 2011 |
| Positive Law | No |
| Disposition | standard |
| Source Credit | Pub. L. 108-447, div. H, title V, §522, Dec. 8, 2004, 118 Stat. 3268; Pub. L. 110-161, div. D, title VII, §742(b), Dec. 26, 2007, 121 Stat. 2032. |
| Statutes at Large References | 88 Stat. 1896 116 Stat. 2259, 2899, 2946 118 Stat. 3268 121 Stat. 2032 |
| Public Law References | Public Law 93-579, Public Law 107-296, Public Law 107-347, Public Law 108-447, Public Law 110-161 |
§2000ee–2. Privacy and data protection policies and procedures (a) Privacy Officer
Each agency shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy, including—
(1) assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of information in an identifiable form;
(2) assuring that technologies used to collect, use, store, and disclose information in identifiable form allow for continuous auditing of compliance with stated privacy policies and practices governing the collection, use and distribution of information in the operation of the program;
(3) assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as defined in the Privacy Act of 1974 [5 U.S.C. 552a];
(4) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;
(5) conducting a privacy impact assessment of proposed rules of the Department on the privacy of information in an identifiable form, including the type of personally identifiable information collected and the number of people affected;
(6) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of section 552a of title 5, 11 1 internal controls, and other relevant matters;
(7) ensuring that the Department protects information in an identifiable form and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction;
(8) training and educating employees on privacy and data protection policies to promote awareness of and compliance with established privacy and data protection policies; and
(9) ensuring compliance with the Departments 2 established privacy and data protection policies.
(b) Establishing privacy and data protection procedures and policies (1) 3 In generalWithin 12 months of December 8, 2004, each agency shall establish and implement comprehensive privacy and data protection procedures governing the agency's collection, use, sharing, disclosure, transfer, storage and security of information in an identifiable form relating to the agency employees and the public. Such procedures shall be consistent with legal and regulatory guidance, including OMB regulations, the Privacy Act of 1974 [5 U.S.C. 552a], and section 208 of the E-Government Act of 2002.
(c) RecordingEach agency shall prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency. Each report shall be signed by the agency privacy officer to verify that the agency intends to comply with the procedures in the report. By signing the report the privacy officer also verifies that the agency is only using information in identifiable form as detailed in the report.
(d) Inspector General reviewThe Inspector General of each agency shall periodically conduct a review of the agency's implementation of this section and shall report the results of its review to the Committees on Appropriations of the House of Representatives and the Senate, the House Committee on Oversight and Government Reform, and the Senate Committee on Homeland Security and Governmental Affairs. The report required by this review may be incorporated into a related report to Congress otherwise required by law including, but not limited to, section 3545 of title 44, the Federal Information Security Management Act of 2002. The Inspector General may contract with an independent, third party organization to conduct the review.
(e) Report (1) In generalUpon completion of a review, the Inspector General of an agency shall submit to the head of that agency a detailed report on the review, including recommendations for improvements or enhancements to management of information in identifiable form, and the privacy and data protection procedures of the agency.
(2) Internet availabilityEach agency shall make each independent third party review, and each report of the Inspector General relating to that review available to the public.
(f) DefinitionIn this section, the definition of “identifiable form” is consistent with Public Law 107–347, the E-Government Act of 2002, and means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
(Pub. L. 108–447, div. H, title V, §522, Dec. 8, 2004, 118 Stat. 3268; Pub. L. 110–161, div. D, title VII, §742(b), Dec. 26, 2007, 121 Stat. 2032.)
References in TextThe Privacy Act of 1974, referred to in subsecs. (a)(3) and (b)(1), is Pub. L. 93–579, Dec. 31, 1974, 88 Stat. 1896, which enacted section 552a of Title 5, Government Organization and Employees, and provisions set out as notes under section 552a of Title 5. For complete classification of this Act to the Code, see Short Title of 1974 Amendment note set out under section 552a of Title 5 and Tables.
The Federal Information Security Management Act of 2002, referred to in subsec. (d), is the statutory short title for title III of Pub. L. 107–347, Dec. 17, 2002, 116 Stat. 2946, and for title X of Pub. L. 107–296, Nov. 25, 116 Stat. 2259. For complete classification of these Acts to the Code, see Short Title of 2002 Amendments note set out under section 101 of Title 44, Public Printing and Documents, Short Title note set out under section 101 of Title 6, Domestic Security, and Tables.
The E-Government Act of 2002, referred to in subsec. (f), is Pub. L. 107–347, Dec. 17, 2002, 116 Stat. 2899. Section 208 of the Act is set out as a note under section 3501 of Title 44, Public Printing and Documents. For complete classification of this Act to the Code, see Short Title of 2002 Amendments note set out under section 101 of Title 44 and Tables.
CodificationSection was formerly set out as a note under section 552a of Title 5, Government Organization and Employees.
Amendments2007—Subsec. (d). Pub. L. 110–161 added subsec. (d) and struck out former subsec. (d) which related to independent, third-party reviews.
1 So in original.
2 So in original. Probably should be “Department's”.
3 So in original. No par. (2) has been enacted.
Disclaimer: These codes may not be the most recent version. The United States Government Printing Office may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the US site. Please check official sources.
