§2000ee–2. Privacy and data protection policies and procedures
(a) Privacy Officer
Each agency shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy, including-
(1) assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of information in an identifiable form;
(2) assuring that technologies used to collect, use, store, and disclose information in identifiable form allow for continuous auditing of compliance with stated privacy policies and practices governing the collection, use and distribution of information in the operation of the program;
(3) assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as defined in the Privacy Act of 1974 [5 U.S.C. 552a];
(4) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;
(5) conducting a privacy impact assessment of proposed rules of the Department on the privacy of information in an identifiable form, including the type of personally identifiable information collected and the number of people affected;
(6) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of section 552a of title 5, 11 1 internal controls, and other relevant matters;
(7) ensuring that the Department protects information in an identifiable form and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction;
(8) training and educating employees on privacy and data protection policies to promote awareness of and compliance with established privacy and data protection policies; and
(9) ensuring compliance with the Departments 2 established privacy and data protection policies.
(b) Establishing privacy and data protection procedures and policies
(1) 3 In general
Within 12 months of December 8, 2004, each agency shall establish and implement comprehensive privacy and data protection procedures governing the agency's collection, use, sharing, disclosure, transfer, storage and security of information in an identifiable form relating to the agency employees and the public. Such procedures shall be consistent with legal and regulatory guidance, including OMB regulations, the Privacy Act of 1974 [5 U.S.C. 552a], and section 208 of the E-Government Act of 2002.
(c) Recording
Each agency shall prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency. Each report shall be signed by the agency privacy officer to verify that the agency intends to comply with the procedures in the report. By signing the report the privacy officer also verifies that the agency is only using information in identifiable form as detailed in the report.
(d) Inspector General review
The Inspector General of each agency shall periodically conduct a review of the agency's implementation of this section and shall report the results of its review to the Committees on Appropriations of the House of Representatives and the Senate, the House Committee on Oversight and Government Reform, and the Senate Committee on Homeland Security and Governmental Affairs. The report required by this review may be incorporated into a related report to Congress otherwise required by law including, but not limited to, section 3545 4 of title 44, the Federal Information Security Management Act of 2002. The Inspector General may contract with an independent, third party organization to conduct the review.
(e) Report
(1) In general
Upon completion of a review, the Inspector General of an agency shall submit to the head of that agency a detailed report on the review, including recommendations for improvements or enhancements to management of information in identifiable form, and the privacy and data protection procedures of the agency.
(2) Internet availability
Each agency shall make each independent third party review, and each report of the Inspector General relating to that review available to the public.
(f) Definition
In this section, the definition of "identifiable form" is consistent with
(
Editorial Notes
References in Text
The Privacy Act of 1974, referred to in subsecs. (a)(3) and (b)(1), is
Section 3545 of title 44, referred to in subsec. (d), was repealed by
The Federal Information Security Management Act of 2002, referred to in subsec. (d), is the statutory short title for title III of
The E-Government Act of 2002, referred to in subsec. (f), is
Codification
Section was formerly set out as a note under section 552a of Title 5, Government Organization and Employees.
Amendments
2007-Subsec. (d).
Statutory Notes and Related Subsidiaries
Change of Name
Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019. Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.
Executive Documents
Ex. Ord. No. 13719. Establishment of the Federal Privacy Council
Ex. Ord. No. 13719, Feb. 9, 2016, 81 F.R. 7961, provided:
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:
Executive departments and agencies (agencies) already take seriously their mission to protect privacy and have been working diligently to advance that mission through existing interagency mechanisms. Today's challenges, however, require that we find even more effective and innovative ways to improve the Government's efforts. Our efforts to meet these new challenges and preserve our core value of privacy, while delivering better and more effective Government services for the American people, demand leadership and enhanced coordination and collaboration among a diverse group of stakeholders and experts.
Therefore, it shall be the policy of the United States Government that agencies shall establish an interagency support structure that: builds on existing interagency efforts to protect privacy and provides expertise and assistance to agencies; expands the skill and career development opportunities of agency privacy professionals; improves the management of agency privacy programs by identifying and sharing lessons learned and best practices; and promotes collaboration between and among agency privacy professionals to reduce unnecessary duplication of efforts and to ensure the effective, efficient, and consistent implementation of privacy policy Government-wide.
(a) Establishment. There is hereby established the Federal Privacy Council (Privacy Council) as the principal interagency forum to improve the Government privacy practices of agencies and entities acting on their behalf. The establishment of the Privacy Council will help Senior Agency Officials for Privacy at agencies better coordinate and collaborate, educate the Federal workforce, and exchange best practices. The activities of the Privacy Council will reinforce the essential work that agency privacy officials undertake every day to protect privacy.
(b) Membership. The Chair of the Privacy Council shall be the Deputy Director for Management of the Office of Management and Budget. The Chair may designate a Vice Chair, establish working groups, and assign responsibilities for operations of the Privacy Council as he or she deems necessary. In addition to the Chair, the Privacy Council shall be composed of the Senior Agency Officials for Privacy at the following agencies:
(i) Department of State;
(ii) Department of the Treasury;
(iii) Department of Defense;
(iv) Department of Justice;
(v) Department of the Interior;
(vi) Department of Agriculture;
(vii) Department of Commerce;
(viii) Department of Labor;
(ix) Department of Health and Human Services;
(x) Department of Homeland Security;
(xi) Department of Housing and Urban Development;
(xii) Department of Transportation;
(xiii) Department of Energy;
(xiv) Department of Education;
(xv) Department of Veterans Affairs;
(xvi) Environmental Protection Agency;
(xvii) Office of the Director of National Intelligence;
(xviii) Small Business Administration;
(xix) National Aeronautics and Space Administration;
(xx) Agency for International Development;
(xxi) General Services Administration;
(xxii) National Science Foundation;
(xxiii) Office of Personnel Management; and
(xxiv) National Archives and Records Administration.
The Privacy Council may also include other officials from agencies and offices, as the Chair may designate, and the Chair may invite the participation of officials from such independent agencies as he or she deems appropriate.
(c) Functions. The Privacy Council shall:
(i) develop recommendations for the Office of Management and Budget on Federal Government privacy policies and requirements;
(ii) coordinate and share ideas, best practices, and approaches for protecting privacy and implementing appropriate privacy safeguards;
(iii) assess and recommend how best to address the hiring, training, and professional development needs of the Federal Government with respect to privacy matters; and
(iv) perform other privacy-related functions, consistent with law, as designated by the Chair.
(d) Coordination.
(i) The Chair and the Privacy Council shall coordinate with the Federal Chief Information Officers Council (CIO Council) to promote consistency and efficiency across the executive branch when addressing privacy and information security issues. In addition, the Chairs of the Privacy Council and the CIO Council shall coordinate to ensure that the work of the two councils is complementary and not duplicative.
(ii) The Chair and the Privacy Council should coordinate, as appropriate, with such other interagency councils and councils and offices within the Executive Office of the President, as appropriate, including the President's Management Council, the Chief Financial Officers Council, the President's Council on Integrity and Efficiency, the National Science and Technology Council, the National Economic Council, the Domestic Policy Council, the National Security Council staff, the Office of Science and Technology Policy, the Interagency Council on Statistical Policy, the Federal Acquisition Regulatory Council, and the Small Agency Council.
(i) the authority granted by law to a department, agency, or the head thereof; or
(ii) the functions of the Director relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
(c) Independent agencies are encouraged to comply with the requirements of this order.
(d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
Barack Obama.
[Ex. Ord. No. 13719 was originally published at 81 F.R. 7687 and was republished as set out above to correct an error appearing in the original publication.]
2 So in original. Probably should be "Department's".