PRINTER'S NO. 2360
No. 1822 Session of 2001
INTRODUCED BY ARMSTRONG, THOMAS, RAYMOND AND TIGUE, JUNE 21, 2001
REFERRED TO COMMITTEE ON INTERGOVERNMENTAL AFFAIRS, JUNE 21, 2001
AN ACT 1 Providing for protection of personal information in the private 2 sector, for collection, disclosure and use of personal 3 information, for written request, for access, for sensory 4 disability, for remedies, for complaints, for reports, for 5 hearings, for audits, for compliance, for findings and 6 recommendations, for accountability, for consent, for 7 accuracy, for safeguards, for openness, for compliance, for 8 confidentiality, for witnesses, for authority and duty of 9 Attorney General, for consultation with other states and 10 Federal Government, for annual report, for regulations, for 11 whistleblowing, for review by Senate and House of 12 Representatives committees and for repeals. 13 Chapter 1. Preliminary Provisions 14 Section 101. Short title. 15 Section 102. Definitions. 16 Section 103. Purpose. 17 Section 104. Application. 18 Chapter 3. Protection of Personal Information 19 Section 301. General rules. 20 Section 302. Collection of personal information. 21 Section 303. Use of personal information. 22 Section 304. Disclosure without knowledge or consent.
1 Section 305. Use without consent. 2 Section 306. Disclosure without consent. 3 Section 307. Written request. 4 Section 308. When access prohibited. 5 Section 309. When access may be refused. 6 Section 310. Sensory disability. 7 Chapter 5. Remedies 8 Section 501. Complaints. 9 Section 502. Investigations of complaints. 10 Section 503. Report. 11 Section 504. Hearing by court. 12 Section 505. Complaints not initiated by Attorney General. 13 Section 506. Remedies. 14 Section 507. Summary hearings. 15 Chapter 7. Audits 16 Section 701. To ensure compliance. 17 Section 702. Report of findings and recommendations. 18 Chapter 9. Principles 19 Section 901. Accountability. 20 Section 902. Identifying purposes. 21 Section 903. Consent. 22 Section 904. Limiting collection. 23 Section 905. Limiting use, disclosure and retention. 24 Section 906. Accuracy. 25 Section 907. Safeguards. 26 Section 908. Openness. 27 Section 909. Individual access. 28 Section 910. Challenging compliance. 29 Chapter 51. General Provisions 30 Section 5101. Confidentiality. 20010H1822B2360 - 2 -
1 Section 5102. Not competent witness. 2 Section 5103. Protection of Attorney General. 3 Section 5104. Consultation with other states and Federal 4 Government. 5 Section 5105. Promotion of purposes of act. 6 Section 5106. Annual report. 7 Section 5107. Regulations. 8 Section 5108. Whistleblowing. 9 Section 5109. Review by Senate and House of Representatives 10 committees. 11 Section 5110. Application. 12 Section 5111. Penalty. 13 Section 1512. Repeals. 14 Section 1513. Effective date. 15 The General Assembly of the Commonwealth of Pennsylvania 16 hereby enacts as follows: 17 CHAPTER 1 18 PRELIMINARY PROVISIONS 19 Section 101. Short title. 20 This act shall be known and may be cited as the Protection of 21 Personal Information Act. 22 Section 102. Definitions. 23 The following words and phrases when used in this act shall 24 have the meanings given to them in this section unless the 25 context clearly indicates otherwise: 26 "Alternative format." With respect to personal information, 27 the term means a format that allows a person with a sensory 28 disability to read or listen to the personal information. 29 "Commercial activity." Any transaction, act or conduct or 30 any regular course of conduct that is of a commercial character, 20010H1822B2360 - 3 -
1 including the selling, bartering or leasing of donor, membership 2 or other fundraising lists. 3 "Organization." The term includes a corporation, partnership 4 and association. 5 "Person." The term includes a corporation, partnership and 6 association, as well as an individual. 7 "Personal health information." With respect to an 8 individual, whether living or deceased, the term includes: 9 (1) Information concerning the physical or mental health 10 of the individual. 11 (2) Information concerning any health service provided 12 to the individual. 13 (3) Information concerning the donation by the 14 individual of any body part or any bodily substance of the 15 individual or information derived from the testing or 16 examination of a body part or bodily substance of the 17 individual. 18 (4) Information collected in the course of providing 19 health services to the individual. 20 (5) Information collected incidentally to the provision 21 of health services to the individual. 22 "Personal information." Information about an identifiable 23 individual, not including the name, title or business address or 24 telephone number of an employee of an organization. 25 "Record." Any correspondence, memorandum, book, plan, map, 26 drawing, diagram, pictorial or graphic work, photograph, film, 27 microfilm, sound recording, videotape or machine-readable record 28 and any other documentary material, regardless of physical form 29 or characteristics, and any copy of any of the foregoing. 30 Section 103. Purpose. 20010H1822B2360 - 4 -
1 The purpose of this act is to establish, in an era in which 2 technology increasingly facilitates the circulation and exchange 3 of information, rules to govern the collection, use and 4 disclosure of personal information in a manner that recognizes 5 the right of privacy of individuals with respect to their 6 personal information and the need of organizations to collect, 7 use or disclose personal information for purposes that a 8 reasonable person would consider appropriate in the 9 circumstances. 10 Section 104. Application. 11 (a) General rule.--This act applies to every person with 12 respect to personal information that: 13 (1) the person collects, uses or discloses in the course 14 of commercial activities; or 15 (2) is about an employee of the person and that the 16 person collects, uses or discloses in connection with the 17 operation of any work, undertaking or business. 18 (b) Exceptions.--This act does not apply to: 19 (1) An individual with respect to personal information 20 that the individual collects, uses or discloses for personal 21 or domestic purposes and does not collect, use or disclose 22 for any other purpose. 23 (2) A person with respect to personal information that 24 the person collects, uses or discloses for journalistic, 25 artistic or literary purposes and does not collect, use or 26 disclose for any other purpose. 27 (3) Every provision of this act applies notwithstanding 28 any provision of an act enacted after the effective date of 29 this act, unless the later act expressly provides that the 30 provision operates notwithstanding the provision of this act. 20010H1822B2360 - 5 -
1 CHAPTER 3 2 PROTECTION OF PERSONAL INFORMATION 3 Section 301. General rules. 4 (a) Purposes.--A person may collect, use or disclose 5 personal information only for purposes that a reasonable 6 individual would consider appropriate in the circumstances. 7 (b) Obligation of organization.--The designation of an 8 individual under section 901 does not relieve the organization 9 of the obligation to comply with the obligations set out in 10 Chapter 9. 11 Section 302. Collection of personal information. 12 For the purpose of section 903, and notwithstanding the 13 provisions of section 903(1), a person may collect personal 14 information without the knowledge or consent of the individual 15 only if: 16 (1) The collection is clearly in the interests of the 17 individual and consent cannot be obtained in a timely manner. 18 (2) It is reasonable to expect that the collection with 19 the knowledge or consent of the individual would compromise 20 the availability or the accuracy of the information and the 21 collection is reasonable for purposes related to 22 investigating a breach or an agreement or a contravention of 23 the laws of this Commonwealth or the United States. 24 (3) The collection is solely for journalistic, artistic 25 or literary purposes. 26 (4) The information is publicly available. 27 Section 303. Use of personal information. 28 For the purpose of section 903, and notwithstanding the 29 provisions of section 903(1), a person may, without the 30 knowledge or consent of the individual, use personal information 20010H1822B2360 - 6 -
1 only if: 2 (1) in the course of its activities, the person becomes 3 aware of information that it has reasonable grounds to 4 believe could be useful in the investigation of a 5 contravention of the laws of this Commonwealth or the United 6 States that has been, is being or is about to be committed, 7 and the information is used for the purpose of investigating 8 that contravention; 9 (2) it is used for the purpose of acting with respect to 10 an emergency that threatens the life, health or security of 11 an individual; 12 (3) it is used for statistical or scholarly study or 13 research purposes that cannot be achieved without using the 14 information, the information is used in a manner that will 15 ensure its confidentiality, it is impracticable to obtain 16 consent, and the organization informs the Attorney General of 17 the use before the information is used; 18 (4) it is publicly available; or 19 (5) it was collected under section 302(1) or (2). 20 Section 304. Disclosure without knowledge or consent. 21 For the purpose of section 503, and notwithstanding the 22 provisions of section 903(1), a person may disclose personal 23 information without the knowledge or consent of the individual 24 only if the disclosure is: 25 (1) made to an attorney who is representing the person; 26 (2) for the purpose of collecting a debt owed by the 27 individual to the person; 28 (3) required to comply with a subpoena or warrant issued 29 or an order made by a court with jurisdiction to compel the 30 production of information or to comply with rules of court 20010H1822B2360 - 7 -
1 relating to the production of records; 2 (4) made to a government institution or part of a 3 government institution that has made a request for the 4 information, identified its lawful authority to obtain the 5 information and indicated that: 6 (i) it suspects that the information relates to 7 national security or the conduct of international 8 affairs; 9 (ii) the disclosure is requested for the purpose of 10 enforcing any law of this Commonwealth or the United 11 States, carrying out an investigation relating to the 12 enforcement of any such law or gathering intelligence for 13 the purpose of enforcing any such law; or 14 (iii) the disclosure is requested for the purpose of 15 administering any law of this Commonwealth or the United 16 States; 17 (5) made on the initiative of the person to an 18 investigative body, a government institution or a part of a 19 government institution and the person: 20 (i) has reasonable grounds to believe that the 21 information relates to a breach of an agreement or a 22 contravention of laws of this Commonwealth or the United 23 States that has been, is being or is about to be 24 committed; or 25 (ii) suspects that the information relates to 26 national security or the conduct of international 27 affairs; 28 (6) made to a person who needs the information because 29 of an emergency that threatens the life, health or security 30 of an individual and, if the individual about whom the 20010H1822B2360 - 8 -
1 information exists is alive, the person informs that 2 individual of the disclosure in writing without delay; 3 (7) for statistical or scholarly study or research 4 purposes that cannot be achieved without disclosing the 5 information, it is impracticable to obtain consent and the 6 person informs the Attorney General of the disclosure before 7 the information is disclosed; 8 (8) made to an institution whose functions include the 9 conservation of records of historic or archival importance 10 and the disclosure is made for the purpose of such 11 conservation; 12 (9) made after the earlier of 100 years after the record 13 containing the information was created or 20 years after the 14 death of the individual about whom the information exists; 15 (10) of information that is publicly available; 16 (11) made by an investigative body and the disclosure is 17 reasonable for purposes related to investigating a breach of 18 an agreement or a contravention of the laws of this 19 Commonwealth or the United States; or 20 (12) required by law. 21 Section 305. Use without consent. 22 Notwithstanding section 505, a person may use personal 23 information for purposes other than those for which it was 24 collected in any of the circumstances set out in section 303. 25 Section 306. Disclosure without consent. 26 Notwithstanding section 905, a person may disclose personal 27 information for purposes other than those for which it was 28 collected in any of the circumstances set out in section 304(1) 29 through (9). 30 Section 307. Written request. 20010H1822B2360 - 9 -
1 (a) Request in writing.--A request under section 909 must be 2 made in writing. 3 (b) Assistance.--A person must assist any individual who 4 informs the person that assistance is needed in preparing a 5 request to the person. 6 (c) Time limit.--A person shall respond to a request with 7 due diligence and in any case not later than 30 days after 8 receipt of the request. 9 (d) Extension of time.--A person may extend the time limit: 10 (1) for a maximum of 30 days if: 11 (i) meeting the time limit would unreasonably 12 interfere with the activities of the person; or 13 (ii) the time required to undertake any 14 consultations necessary to respond to the request would 15 make the time limit impracticable to meet; or 16 (2) for the period that is necessary in order to be able 17 to convert the personal information into an alternative 18 format. 19 In either case, the person shall, no later than 30 days after 20 the date of the request, send a notice of extension to the 21 individual advising the individual of the new time limit, the 22 reasons for extending the time limit and the individual's right 23 to make a complaint to the Attorney General concerning the 24 extension. 25 (e) Deemed refusal.--If the person fails to respond within 26 the time limit, the person is deemed to have refused the 27 request. 28 (f) Costs for responding.--A person may respond to an 29 individual's request at a cost to the individual only if: 30 (1) the person has informed the individual of the 20010H1822B2360 - 10 -
1 approximate cost; and 2 (2) the individual has advised the person that the 3 request is not being withdrawn. 4 (g) Reasons.--A person that responds within the time limit 5 and refuses a request shall inform the individual in writing of 6 the refusal, setting out the reasons and any recourse that the 7 individual may have under this act. 8 (h) Retention of information.--Notwithstanding section 905, 9 a person that has personal information that is the subject of a 10 request shall retain the information for as long as necessary to 11 allow the individual to exhaust any recourse available under 12 this act. 13 Section 308. When access prohibited. 14 (a) General rule.--Notwithstanding section 909, a person 15 shall not give an individual access to personal information if 16 doing so would likely reveal personal information about a third 17 party. However, if the information about the third party is 18 severable from the record containing the information about the 19 individual, the person shall sever the information about the 20 third party before giving the individual access. 21 (b) Exception.--Subsection (a) does not apply if the third 22 party consents to the access or the individual needs the 23 information because an individual's life, health or security is 24 threatened. 25 (c) Information related to section 304(3), (4) and (5).-- 26 (1) A person shall comply with subsection (b) if an 27 individual requests that the organization: 28 (i) inform the individual about: 29 (A) any disclosure of information to a 30 government institution or a part of a government 20010H1822B2360 - 11 -
1 institution under section 304(3), (4)(i) or (ii) or 2 (5); or 3 (B) the existence of any information that the 4 person has relating to a disclosure referred to in 5 this subparagraph, to a subpoena, warrant or order 6 referred to in section 304(3) or to a request made by 7 a government institution or a part of a government 8 institution under section 304(4)(i) or (ii); or 9 (ii) give the individual access to the information 10 referred to in subparagraph (i)(B). 11 (2) An organization to which paragraph (1) applies: 12 (i) shall, in writing and without delay, notify the 13 institution or party concerned of the request made by the 14 individual; and 15 (ii) shall not respond to the request before the 16 earlier of: 17 (A) the day on which it is notified under 18 paragraph (3); or 19 (B) 30 days after the day on which the 20 institution or party was notified. 21 (3) Within 30 days after the day on which it is notified 22 under subsection (b), the institution or party shall notify 23 the organization as to whether the institution or party 24 objects to the organization's complying with the request. The 25 institution or party may object only if the institution or 26 party is of the opinion that compliance with the request 27 could reasonably be expected to be injurious to: 28 (i) national security or the conduct of 29 international affairs; or 30 (ii) the enforcement of any law of the United States 20010H1822B2360 - 12 -
1 or of this Commonwealth, an investigation relating to the 2 enforcement of any such law or the gathering of 3 intelligence for the purpose of enforcing any such law. 4 (4) Notwithstanding section 509, if a person is notified 5 under paragraph (3) that the institution or party objects to 6 the organization's complying with the request, the person: 7 (i) shall refuse the request to the extent that it 8 relates to paragraph (1)(i) or to information referred to 9 in paragraph (1)(i)(B). 10 (ii) shall notify the Attorney General, in writing 11 and without delay, of the refusal; and 12 (iii) shall not disclose to the individual: 13 (A) any information that the person has relating 14 to a disclosure to a government institution or a part 15 of a government institution under section 304(3), 16 (4)(i) or (ii) or (5) or to a request made by a 17 government institution or a part of a government 18 institution under any of those paragraphs; 19 (B) that the person notified an institution or 20 party under subsection (b)(1) or the Attorney General 21 under subsection (b)(2); or 22 (C) that the institution or party objects. 23 Section 309. When access may be refused. 24 (a) General rule.--Notwithstanding the provisions of section 25 909(1), a person is not required to give access to personal 26 information only if: 27 (1) the information is protected by attorney-client 28 privilege; 29 (2) to do so would reveal confidential commercial 30 information; 20010H1822B2360 - 13 -
1 (3) to do so could reasonably be expected to threaten 2 the life or security of another individual; 3 (4) the information was collected under section 302(2); 4 or 5 (5) the information was generated in the course of a 6 formal dispute resolution process. 7 However, in the circumstances described in paragraph (2) or (3), 8 if giving access to the information would reveal confidential 9 commercial information or could reasonably be expected to 10 threaten the life or security of another individual, and that 11 information is severable from the record containing any other 12 information for which access is requested, the person shall give 13 the individual access after severing the protected information. 14 (b) Limit.--Subsection (a) does not apply if the individual 15 needs the information because an individual's life, health or 16 security is threatened. 17 (c) Notice.--If a person decides not to give access to 18 personal information in the circumstances set out in subsection 19 (a)(4), the person shall so notify the Attorney General in 20 writing and shall include in the notification any information 21 that the Attorney General may specify. 22 Section 310. Sensory disability. 23 An organization shall give access to personal information in 24 an alternative format to an individual with a sensory disability 25 who has a right-of-access to personal information under this act 26 and who requests that it be transmitted in the alternative 27 format if: 28 (1) a version of the information already exists in that 29 format; or 30 (2) its conversion into that format is reasonable and 20010H1822B2360 - 14 -
1 necessary in order for the individual to be able to exercise 2 rights under this act. 3 CHAPTER 5 4 REMEDIES 5 Section 501. Complaints. 6 (a) General rule.--An individual may file with the Attorney 7 General a written complaint against an organization for 8 violating a provision of this act. 9 (b) Attorney General.--If the Attorney General is satisfied 10 that there are reasonable grounds to investigate a matter, the 11 Attorney General may initiate a complaint concerning the matter. 12 (c) Time limit.--A complaint that results from the refusal 13 to grant a request under section 307 must be filed within six 14 months or any longer period that the Attorney General allows 15 after the refusal or after the expiration of the time limit for 16 responding to the request, as the case may be. 17 (d) Notice.--The Attorney General shall give notice of a 18 complaint to the organization against which the complaint was 19 made. 20 Section 502. Investigations of complaints. 21 (a) Powers of Attorney General.--The Attorney General shall 22 investigate a complaint and for that purpose may: 23 (1) Summon and enforce the appearance of persons before 24 the Attorney General and compel them to give oral or written 25 evidence under oath and to produce any records and things 26 that the Attorney General considers necessary to investigate 27 the complaint, in the same manner and to the same extent as a 28 court of record. 29 (2) Administer oaths. 30 (3) Receive and accept any evidence and other 20010H1822B2360 - 15 -
1 information, whether under oath, by affidavit or otherwise, 2 that the Attorney General sees fit, regardless of whether it 3 is or would be admissible in a court of law. 4 (4) At any reasonable time, enter any premises, other 5 than a dwelling house, occupied by a person on satisfying any 6 security requirements of the person relating to the premises. 7 (5) Converse in private with any person in any premises 8 entered under paragraph (4) and otherwise carry out in those 9 premises any inquiries that the Attorney General sees fit. 10 (6) Examine and obtain copies of or extracts from 11 records found in any premises entered under paragraph (4) 12 that contain any matter relevant to the investigation. 13 (b) Dispute resolution mechanisms.--The Attorney General may 14 attempt to resolve complaints by means of dispute resolution 15 mechanisms such as mediation and conciliation. 16 (c) Return of records.--The Attorney General shall return to 17 a person any record or thing that the person produced under this 18 section within ten days after a request is made to the Attorney 19 General, however, nothing precludes the Attorney General from 20 again requiring that the record or thing be produced. 21 Section 503. Report. 22 (a) Contents.--The Attorney General shall, within one year 23 after the day on which a complaint is filed or is initiated by 24 the Attorney General, prepare a report that contains: 25 (1) The Attorney Generals's findings and 26 recommendations. 27 (2) Any settlement that was reached by the parties. 28 (3) If appropriate, a request that the organization give 29 the Attorney General, within a specified time, notice of any 30 action taken or proposed to be taken to implement the 20010H1822B2360 - 16 -
1 recommendations contained in the report or reasons why no 2 such action has been or is proposed to be taken. 3 (4) The recourse, if any, that is available under 4 section 504. 5 (b) When no report is required.-- 6 (1) The Attorney General is not required to prepare a 7 report if the Attorney General is satisfied that: 8 (i) the complainant should first exhaust grievance 9 or review procedures otherwise reasonably available; 10 (ii) the complaint could more appropriately be dealt 11 with, initially or completely, by means of a procedure 12 provided for under the laws of this Commonwealth other 13 than this act or the laws of the United States; 14 (iii) the length of time that has elapsed between 15 the date when the subject matter of the complaint arose 16 and the date when the complaint was filed is such that a 17 report would not serve a useful purpose; or 18 (iv) the complaint is trivial, frivolous or 19 vexatious or is made in bad faith. 20 (2) If a report is not to be prepared, the Attorney 21 General shall inform the complainant and the person and 22 explain why a report was not prepared. 23 (c) Report to parties.--The report shall be sent to the 24 complainant and the person without delay. 25 Section 504. Hearing by court. 26 (a) Application.--A complainant may, after receiving the 27 Attorney General's report, apply to the Commonwealth Court for a 28 hearing on any matter with respect to which the complaint was 29 made, or that is referred to in the Attorney General's report, 30 and that is referred to in section 901(3), 902, 903(4), 904, 20010H1822B2360 - 17 -
1 906, 907 or 908; in section 903, 905 or 909 as modified or 2 clarified in sections 301(a) or 307(f) or (g); or in section 3 310. 4 (b) Time of application.--The application must be made 5 within 45 days after the report is sent or within any further 6 time that the court may, either before or after the expiration 7 of 45 days, allow. 8 (c) Applications of subsections (a) and (b).--Subsections 9 (a) and (b) also apply to complaints referred to in section 501. 10 Section 505. Complaints not initiated by Attorney General. 11 The Attorney General may, concerning a complaint that the 12 Attorney General did not initiate: 13 (1) apply to the Commonwealth Court, within the time 14 limited by section 504, for a hearing relating to any matter 15 described in that section, if the Attorney General has the 16 consent of the complainant; 17 (2) appear before the Commonwealth Court on behalf of 18 any complainant who has applied for hearing under section 19 504; or 20 (3) with leave of the Commonwealth Court, appear as a 21 party to any hearing applied for under section 504. 22 Section 506. Remedies. 23 The Commonwealth Court may, in addition to any other remedies 24 it may give: 25 (1) order a person to correct its practices in order to 26 comply with sections 301 through 310; 27 (2) order a person to publish a notice of any action 28 taken or proposed to be taken to correct its practices, 29 regardless of whether ordered to correct them under paragraph 30 (1); and 20010H1822B2360 - 18 -
1 (3) award damages to the complainant, including damages 2 for any humiliation that the complainant has suffered. 3 Section 507. Summary hearings. 4 (a) General rule.--An application made under section 504 or 5 505 shall be heard and determined without delay and in a summary 6 way unless the Commonwealth Court considers it inappropriate to 7 do so. 8 (b) Precautions.--In any proceeding arising from an 9 application made under section 504 or 505, the Commonwealth 10 Court shall take every reasonable precaution, including when 11 appropriate, receiving representations ex parte and conducting 12 hearings in camera, to avoid the disclosure by the court or any 13 person of any information or other material that the person 14 would be authorized to refuse to disclose if it were requested 15 under section 909. 16 CHAPTER 7 17 AUDITS 18 Section 701. To ensure compliance. 19 (a) General rule.--The Attorney General may, on reasonable 20 notice and at any reasonable time, audit the personal 21 information management practices of an organization if the 22 Attorney General has reasonable grounds to believe that the 23 organization is violating a provision of this act and for that 24 purpose may: 25 (1) Summon and enforce the appearance of persons before 26 the Attorney General and compel them to give oral or written 27 evidence under oath and to produce any records and things 28 that the Attorney General considers necessary for the audit, 29 in the same manner and to the same extent as a court of 30 record. 20010H1822B2360 - 19 -
1 (2) Administer oaths. 2 (3) Receive and accept any evidence and other 3 information, whether under oath, by affidavit or otherwise, 4 that the Attorney General sees fit, regardless of whether it 5 is or would be admissible in a court of law. 6 (4) At any reasonable time, enter any premises, other 7 than a dwelling house, occupied by the person on satisfying 8 any security requirements of the person relating to the 9 premises. 10 (5) Converse in private with any person in any premises 11 entered under paragraph (4) and otherwise carry out in those 12 premises any inquiries that the Attorney General sees fit. 13 (6) Examine or obtain copies of or extracts from records 14 found in any premises entered under paragraph (4) that 15 contain any matter relevant to the audit. 16 (b) Return of records.--The Attorney General shall return to 17 a person any record or thing produced by the person under this 18 section within ten days after the person makes a request to the 19 Attorney General, but nothing precludes the Attorney General 20 from again requiring that the record or thing be produced. 21 Section 702. Report of findings and recommendations. 22 (a) General rule.--After an audit, the Attorney General 23 shall provide the audited organization with a report that 24 contains the findings of the audit and any recommendations that 25 the Attorney General considers appropriate. 26 (b) Inclusion in annual reports.--The report may be included 27 in a report made under section 5106. 28 CHAPTER 9 29 PRINCIPLES 30 Section 901. Accountability. 20010H1822B2360 - 20 -
1 An organization is responsible for personal information under 2 its control and shall designate an individual or individuals who 3 are accountable for the organization's compliance with the 4 following: 5 (1) Accountability for the organization's compliance 6 with the principles of this chapter rests with the designated 7 individual or individuals, even if other individuals within 8 the organization may be responsible for the day-to-day 9 collection and processing of personal information. In 10 addition, other individuals within the organization may be 11 delegated to act on behalf of the designated individual or 12 individuals. 13 (2) The identity of the individual or individuals 14 designated by the organization to oversee the organization's 15 compliance with the principles of this chapter shall be made 16 known upon request. 17 (3) An organization is responsible for personal 18 information in its possession or custody, including 19 information that has been transferred to a third party for 20 processing. The organization shall use contractual or other 21 means to provide a comparable level of protection while the 22 information is being processed by a third party. 23 (4) Organizations shall implement policies and practices 24 to give effect to the principles of this chapter, including: 25 (i) Implementing procedures to protect personal 26 information. 27 (ii) Establishing procedures to receive and respond 28 to complaints and inquiries. 29 (iii) Training staff and communicating to staff 30 information about the organization's policies and 20010H1822B2360 - 21 -
1 practices. 2 (iv) Developing information to explain the 3 organization's policies and procedures. 4 Section 902. Identifying purposes. 5 The purposes for which personal information is collected 6 shall be identified by the organization at or before the time 7 the information is collected, as follows: 8 (1) The organization shall document the purposes for 9 which personal information is collected in order to comply 10 with the openness principle (section 908) and the individual 11 access principle (section 909). 12 (2) Identifying the purposes for which personal 13 information is collected at or before the time of collection 14 allows organizations to determine the information they need 15 to collect to fulfill these purposes. The limiting collection 16 principle (section 904) allows an organization to collect 17 only that information necessary for the purposes that have 18 been identified. 19 (3) The identified purposes should be specified at or 20 before the time of collection to the individual from whom the 21 personal information is collected. Depending upon the way in 22 which the information is collected, this can be done orally 23 or in writing. An application form, for example, may give 24 notice of the purposes. 25 (4) When personal information that has been collected is 26 to be used for a purpose not previously identified, the new 27 purpose shall be identified prior to use. Unless the new 28 purpose is required by law, the consent of the individual is 29 required before information can be used for that purpose. For 30 an elaboration on consent, see the consent principle (section 20010H1822B2360 - 22 -
1 903). 2 (5) Persons collecting personal information should be 3 able to explain to individuals the purposes for which the 4 information is being collected. 5 Section 903. Consent. 6 The knowledge and consent of the individual are required for 7 the collection, use or disclosure of personal information, 8 except where inappropriate: 9 (1) In certain circumstances personal information can be 10 collected, used or disclosed without the knowledge and 11 consent of the individual. For example, legal, medical or 12 security reasons may make it impossible or impractical to 13 seek consent. When information is being collected for the 14 detection and prevention of fraud or for law enforcement, 15 seeking the consent of the individual might defeat the 16 purpose of collecting the information. Seeking consent may be 17 impossible or inappropriate when the individual is a minor, 18 seriously ill or mentally incapacitated. In addition, 19 organizations that do not have a direct relationship with the 20 individual may not always be able to seek consent. For 21 example, seeking consent may be impractical for a charity or 22 a direct-marketing firm that wishes to acquire a mailing list 23 from another organization. In such cases, the organization 24 providing the list would be expected to obtain consent before 25 disclosing personal information. 26 (2) Consent is required for the collection of personal 27 information and the subsequent use or disclosure of this 28 information. Typically, an organization will seek consent for 29 the use or disclosure of the information at the time of 30 collection. In certain circumstances, consent with respect to 20010H1822B2360 - 23 -
1 use or disclosure may be sought after the information has 2 been collected, but before use; for example, when an 3 organization wants to use information for a purpose not 4 previously identified. 5 (3) The consent principle requires "knowledge and 6 consent." Persons must make a reasonable effort to ensure 7 that the individual is advised of the purposes for which the 8 information will be used. To make the consent meaningful, the 9 purposes must be stated in such a manner that the individual 10 can reasonably understand how the information will be used or 11 disclosed. 12 (4) A person shall not, as a condition of the supply of 13 a product or service, require an individual to consent to the 14 collection, use or disclosure of information beyond that 15 required to fulfill explicitly specified and legitimate 16 purposes. 17 (5) The form of the consent sought by the person may 18 vary, depending upon the circumstances and the type of 19 information. In determining the form of consent to use, 20 persons shall take into account the sensitivity of the 21 information. Although some information, for example, medical 22 records and income records, is almost always considered to be 23 sensitive, any information can be sensitive, depending on the 24 context. For example, the names and addresses of subscribers 25 to a news magazine would generally not be considered 26 sensitive information. However, the names and addresses of 27 subscribers to some special-interest magazine might be 28 considered sensitive. 29 (6) In obtaining consent, the reasonable expectations of 30 the individual are also relevant. For example, an individual 20010H1822B2360 - 24 -
1 buying a subscription to a magazine should reasonably expect 2 that the organization, in addition to using the individual's 3 name and address for mailing and billing purposes, would also 4 contact the person to solicit the renewal of the 5 subscription. In this case, the organization can assume that 6 the individual's request constitutes consent for specific 7 purposes. On the other hand, an individual would not 8 reasonably expect that personal information given to a health 9 care professional would be given to a company selling health 10 care products unless consent were obtained. Consent shall not 11 be obtained through deception. 12 (7) The way in which a person seeks consent may vary 13 depending on the circumstances and the type of information 14 collected. A person should generally seek express consent 15 when the information is likely to be considered sensitive. 16 Implied consent would generally be appropriate when the 17 information is less sensitive. Consent can also be given by 18 an authorized representative such as a legal guardian or a 19 person having power of attorney. 20 (8) Individuals can give consent in many ways. The ways 21 include: 22 (i) An application form may be used to seek consent, 23 collect information and inform the individual of the use 24 that will be made of the information. By completing and 25 signing the form, the individual is giving consent to the 26 collection and the specified uses. 27 (ii) A checkoff box may be used to allow individuals 28 to request that their names and addresses not be given to 29 other persons. Individuals who do not check the box are 30 assumed to consent to the transfer of this information to 20010H1822B2360 - 25 -
1 third parties. 2 (iii) Consent may be given orally when information 3 is collected over the telephone. 4 (iv) Consent may be given at the time that 5 individuals use a product or service. 6 (9) An individual may withdraw consent at any time, 7 subject to legal or contractual restrictions and reasonable 8 notice. The organization shall inform the individual of the 9 implications of withdrawal of consent. 10 Section 904. Limiting collection. 11 The collection of personal information shall be limited to 12 that which is necessary for the purposes identified by the 13 person. Information shall be collected by fair and lawful means, 14 as follows: 15 (1) Organizations shall not collect personal information 16 indiscriminately. Both the amount and the type of information 17 collected shall be limited to that which is necessary to 18 fulfill the purposes identified. Organizations shall specify 19 the type of information collected as part of their 20 information-handling policies and practices in accordance 21 with the openness principle (section 908). 22 (2) The requirement that personal information be 23 collected by fair and lawful means is intended to prevent 24 organizations from collecting information by misleading or 25 deceiving individuals about the purpose for which information 26 is being collected. This requirement implies that consent 27 with respect to collection must not be obtained through 28 deception. 29 Section 905. Limiting use, disclosure and retention. 30 Personal information shall not be used or disclosed for 20010H1822B2360 - 26 -
1 purposes other than those for which it was collected, except 2 with the consent of the individual or as required by law. 3 Personal information shall be retained only as long as necessary 4 for the fulfillment of those purposes as follows: 5 (1) Persons using personal information for a new purpose 6 shall document this purpose. 7 (2) Persons should develop guidelines and implement 8 procedures with respect to the retention of personal 9 information. The guidelines should include minimum and 10 maximum retention periods. Personal information that has been 11 used to make a decision about an individual shall be retained 12 long enough to allow the individual access to the information 13 after the decision has been made. An organization may be 14 subject to legislative requirements with respect to retention 15 periods. 16 (3) Personal information that is no longer required to 17 fulfill the identified purposes should be destroyed, erased 18 or made anonymous. Organizations shall develop guidelines and 19 implement procedures to govern the destruction of personal 20 information. 21 Section 906. Accuracy. 22 Personal information shall be as accurate, complete and up- 23 to-date as is necessary for the purposes for which it is to be 24 used: 25 (1) The extent to which personal information shall be 26 accurate, complete and up-to-date will depend upon the use of 27 the information, taking into account the interests of the 28 individual. Information shall be sufficiently accurate, 29 complete and up-to-date to minimize the possibility that 30 inappropriate information may be used to make a decision 20010H1822B2360 - 27 -
1 about the individual. 2 (2) An organization shall not routinely update personal 3 information unless such a process is necessary to fulfill the 4 purposes for which the information was collected. 5 (3) Personal information that is used on an ongoing 6 basis, including information that is disclosed to third 7 parties, should generally be accurate and up-to-date, unless 8 limits to the requirement for accuracy are clearly set out. 9 Section 907. Safeguards. 10 Personal information shall be protected by security 11 safeguards appropriate to the sensitivity of the information: 12 (1) The security safeguards shall protect personal 13 information against loss or theft, as well as unauthorized 14 access, disclosure, copying, use or modification. 15 Organizations shall protect personal information regardless 16 of the format in which it is held. 17 (2) The nature of the safeguards will vary depending on 18 the sensitivity of the information that has been collected, 19 the amount, distribution and format of the information and 20 the method of storage. More sensitive information should be 21 safeguarded by a higher level of protection. The concept of 22 sensitivity is discussed in section 903(5). 23 (3) The methods of protection shall include: 24 (i) Physical measures, for example, locked filing 25 cabinets and restricted access to offices. 26 (ii) Organizational measures, for example, security 27 clearances and limiting access on a "need-to-know" basis. 28 (iii) Technological measures, for example, the use 29 of passwords and encryption. 30 (4) Organizations shall make their employees aware of 20010H1822B2360 - 28 -
1 the importance of maintaining the confidentiality of personal 2 information. 3 (5) Care shall be used in the disposal or destruction of 4 personal information to prevent unauthorized parties from 5 gaining access to the information under section 903(3). 6 Section 908. Openness. 7 An organization shall make readily available to individuals 8 specific information about its policies and practices relating 9 to the management of personal information: 10 (1) Organizations shall be open about their policies and 11 practices with respect to the management of personal 12 information. Individuals shall be able to acquire information 13 about an organization's policies and practices without 14 unreasonable effort. This information shall be made available 15 in a form that is generally understandable. 16 (2) The information made available shall include: 17 (i) The name or title and address of the person who 18 is accountable for the organization's policies and 19 practices and to whom complaints or inquiries can be 20 forwarded. 21 (ii) The means of gaining access to personal 22 information held by the organization. 23 (iii) A description of the type of personal 24 information held by the organization, including a general 25 account of its use. 26 (iv) A copy of any brochures or other information 27 that explains the organization's policies, standards or 28 codes. 29 (v) What personal information is made available to 30 related organizations. 20010H1822B2360 - 29 -
1 (3) A person may make information on its policies and 2 practices available in a variety of ways. The method chosen 3 depends on the nature of its business and other 4 considerations. For example, a person may choose to make 5 brochures available in its place of business, mail 6 information to its customers, provide online access or 7 establish a toll-free telephone number. 8 Section 909. Individual access. 9 Upon request, an individual shall be informed of the 10 existence, use and disclosure of his or her personal information 11 and shall be given access to that information. An individual 12 shall be able to challenge the accuracy and completeness of the 13 information and have it amended as appropriate: 14 (1) In certain situations, a person may not be able to 15 provide access to all the personal information it holds about 16 an individual. Exceptions to the access requirement shall be 17 limited and specific. The reasons for denying access should 18 be provided to the individual upon request. Exceptions may 19 include information that is prohibitively costly to provide, 20 information that contains references to other individuals, 21 information that cannot be disclosed for legal, security or 22 commercial proprietary reasons, and information that is 23 subject to attorney-client or litigation privilege. 24 (2) Upon request, a person shall inform an individual 25 whether the person holds personal information about the 26 individual. Persons are encouraged to indicate the source of 27 this information. The person shall allow the individual 28 access to this information. However, the person may choose to 29 make sensitive medical information available through a 30 medical practitioner. In addition, the person shall provide 20010H1822B2360 - 30 -
1 an account of the use that has been made or is being made of 2 this information and an account of the third parties to which 3 it has been disclosed. 4 (3) An individual may be required to provide sufficient 5 information to permit a person to provide an account of the 6 existence, use and disclosure of personal information. The 7 information provided shall be used only for this purpose. 8 (4) In providing an account of third parties to which it 9 has disclosed personal information about an individual, a 10 person should attempt to be as specific as possible. When it 11 is not possible to provide a list of the organizations to 12 which it has actually disclosed information about an 13 individual, the person shall provide a list of organizations 14 to which it may have disclosed information about the 15 individual. 16 (5) A person shall respond to an individual's request 17 within a reasonable time and at minimal or no cost to the 18 individual. The requested information shall be provided or 19 made available in a form that is generally understandable. 20 For example, if the person uses abbreviations or codes to 21 record information, an explanation shall be provided. 22 (6) When an individual successfully demonstrates the 23 inaccuracy or incompleteness of personal information, the 24 person shall amend the information as required. Depending 25 upon the nature of the information challenged, amendment 26 involves the correction, deletion or addition of information. 27 Where appropriate, the amended information shall be 28 transmitted to third parties having access to the information 29 in question. 30 (7) When a challenge is not resolved to the satisfaction 20010H1822B2360 - 31 -
1 of the individual, the substance of the unresolved challenge 2 shall be recorded by the person. When appropriate, the 3 existence of the unresolved challenge shall be transmitted to 4 third parties having access to the information in question. 5 Section 910. Challenging compliance. 6 An individual shall be able to address a challenge concerning 7 compliance with the principles of this chapter to the designated 8 individual or individuals accountable for an organization's 9 compliance: 10 (1) The individual accountable for an organization's 11 compliance is discussed in this chapter. 12 (2) Organizations shall put procedures in place to 13 receive and respond to complaints or inquiries about their 14 policies and practices relating to the handling of personal 15 information. The complaint procedures shall be easily 16 accessible and simple to use. 17 (3) Organizations shall inform individuals who make 18 inquiries or lodge complaints about the existence of relevant 19 complaint procedures. A range of these procedures may exist. 20 For example, some regulatory bodies accept complaints about 21 the personal-information handing practices of the companies 22 they regulate. 23 (4) A person shall investigate all complaints. If a 24 complaint is found to be justified, the person shall take 25 appropriate measures, including, if necessary, amending its 26 policies and practices. 27 CHAPTER 51 28 GENERAL PROVISIONS 29 Section 5101. Confidentiality. 30 (a) General rule.--Subject to subsections (b) through (e), 20010H1822B2360 - 32 -
1 sections 503(c) and 702(a), the Attorney General or any person 2 acting on behalf or under the direction of the Attorney General 3 shall not disclose any information that comes to his knowledge 4 as a result of the performance or exercise of any of the 5 Attorney General's duties or powers under this act. 6 (b) Public interest.--The Attorney General may make public 7 any information relating to the personal information management 8 practices of a person if the Attorney General determines that it 9 is in the public interest to do so. 10 (c) Disclosure of necessary information.--The Attorney 11 General may disclose or may authorize any person acting on 12 behalf or under the direction of the Attorney General to 13 disclose information that in the Attorney General's opinion is 14 necessary to conduct an investigation or audit under this act or 15 establish the grounds for findings and recommendations contained 16 in a report under this act. 17 (d) Disclosure in the course of proceedings.--The Attorney 18 General may disclose or may authorize any person acting on 19 behalf or under the direction of the Attorney General to 20 disclose information in the course of: 21 (1) a prosecution for an offense under section 5112; 22 (2) a prosecution for an offense under 18 Pa.C.S. Ch. 49 23 (relating to falsification and intimidation) with respect to 24 a statement made under this act; 25 (3) a hearing before a court under this act; or 26 (4) an appeal from a decision of a court. 27 (e) Disclosure in the course of offense authorized.--The 28 Attorney General may disclose to a law enforcement agency 29 information relating to the commission of an offense against any 30 law on the part of a person if, in the Attorney General's 20010H1822B2360 - 33 -
1 opinion, there is evidence of an offense. 2 Section 5102. Not competent witness. 3 The Attorney General or person acting on behalf or under the 4 direction of the Attorney General is not a competent witness 5 with respect to any matter that comes to their knowledge as a 6 result of the performance or exercise of any of the Attorney 7 General's duties or powers under this act in any proceeding 8 other than: 9 (1) a prosecution for an offense under section 5111; 10 (2) a prosecution for an offense under 18 Pa.C.S. Ch. 49 11 (relating to falsification and intimidation) with respect to 12 a statement made under this act; 13 (3) a hearing before a court under this act; or 14 (4) an appeal from a decision of a court. 15 Section 5103. Protection of Attorney General. 16 (a) Criminal or civil process.--No criminal or civil 17 proceedings lie against the Attorney General or against any 18 person acting on behalf or under the direction of the Attorney 19 General for anything done, reported or said in good faith as a 20 result of the performance or exercise or purported performance 21 or exercise of any duty or power of the Attorney General under 22 this act. 23 (b) Libel or slander.--For the purposes of any law relating 24 to libel or slander: 25 (1) anything said, any information supplied or any 26 record or thing produced in good faith in the course of an 27 investigation or audit carried out by or on behalf of the 28 Attorney General under this act is privileged; and 29 (2) any report made in good faith by the Attorney 30 General under this act and any fair and accurate account of 20010H1822B2360 - 34 -
1 the report made in good faith for the purpose of news 2 reporting is privileged. 3 Section 5104. Consultation with other states and Federal 4 Government. 5 If the Attorney General considers it appropriate to do so or 6 on the request of an interested person, the Attorney General 7 may, in order to ensure that personal information is protected 8 as consistently as possible, consult with other states and the 9 Federal Government and may enter into agreements: 10 (1) To coordinate the activities of their offices and to 11 provide for mechanisms for the handling of any complaint in 12 which they are mutually interested. 13 (2) To undertake and publish research related to the 14 protection of personal information. 15 (3) To develop model contracts for the protection of 16 personal information that is collected, used or disclosed 17 among states or internationally. 18 Section 5105. Promotion of purposes of act. 19 The Attorney General shall: 20 (1) Develop and conduct information programs to foster 21 public understanding and recognition of the purpose of this 22 act. 23 (2) Undertake and publish research that is related to 24 the protection of personal information. 25 (3) Encourage organizations to develop detailed policies 26 and practices, including organizational codes of practice, to 27 comply with sections 301 through 310. 28 (4) Promote, by any means that the Attorney General 29 considers appropriate, the purposes of this act. 30 Section 5106. Annual report. 20010H1822B2360 - 35 -
1 The Attorney General shall, as soon as practicable after the 2 end of each calendar year, submit to the General Assembly a 3 report concerning the application of this act, the extent to 4 which other states and Congress have enacted legislation that is 5 substantially similar to this act and the application of any 6 such legislation. Before preparing the report, the Attorney 7 General shall consult with those persons in the other states and 8 Congress who, in the Attorney General's opinion, are in a 9 position to assist the Attorney General in the reporting of 10 personal information that is collected, used or disclosed among 11 states or internationally. 12 Section 5107. Regulations. 13 The Attorney General may promulgate regulations: 14 (1) specifying by name or by class what is a government 15 institution or part of a government institution for the 16 purposes of any provision of this act; 17 (2) specifying by name or by class what is an 18 investigative body for the purposes of section 304(5); 19 (3) specifying information or classes of information for 20 the purpose of sections 302(4), 303(4) and 304(10); and 21 (4) for carrying out the purposes and provisions of this 22 act. 23 Section 5108. Whistleblowing. 24 (a) General rule.--An individual who has reasonable grounds 25 to believe that a person has violated or intends to violate a 26 provision of this act may notify the Attorney General of the 27 particulars of the matter. 28 (b) Confidentiality.--The Attorney General shall keep 29 confidential the identity of an individual who has notified the 30 Attorney General under subsection (a). 20010H1822B2360 - 36 -
1 (c) Prohibition.--No employer shall dismiss, suspend, 2 demote, discipline, harass or otherwise disadvantage an employee 3 or deny an employee a benefit of employment by reason that: 4 (1) the employee, acting in good faith and on the basis 5 of reasonable belief, disclosed to the Attorney General that 6 the employer or any other person violated or intended to 7 violate a provision of this act; 8 (2) the employee, acting in good faith and on the basis 9 of reasonable belief, refused or stated an intention of 10 refusing to do anything that is a violation of a provision of 11 this act; 12 (3) the employee, acting in good faith and on the basis 13 of reasonable belief, did or stated an intention to do 14 anything that is required to be done in order that a 15 provision of this act not be violated; or 16 (4) the employer believes that the employee will do 17 anything referred to in paragraph (1), (2) or (3). 18 (d) Saving.--Nothing in this section impairs the right of an 19 employee either at law or under an employment contract or 20 collective agreement. 21 (e) Definitions.--As used in this section, the following 22 words and phrases shall have the meanings given to them in this 23 subsection: 24 "Employee." The term includes an independent contractor. 25 "Employer." The term includes an independent contractor. 26 Section 5109. Review by Senate and House of Representatives 27 committees. 28 The administration of this act shall be reviewed by the 29 appropriate committees of the Senate and the House of 30 Representatives. The committees shall review the provisions and 20010H1822B2360 - 37 -
1 operation of this act and shall, within a year after the review 2 is undertaken, submit a report to the General Assembly that 3 includes any recommended changes to this act or its 4 administration. 5 Section 5110. Application. 6 (a) Personal health information.--This act does not apply to 7 any person with respect to personal health information that it 8 collects, uses or discloses. 9 (b) Expiration date.--Subsection (a) expires one year after 10 the effective date of this act. 11 Section 5111. Penalty. 12 A person who knowingly violates section 307(h) or 5108(c) or 13 who obstructs the Attorney General or the investigation of a 14 complaint or in conducting an audit commits a misdemeanor of the 15 first degree and, upon conviction, shall be sentenced to a fine 16 of not more than $10,000. 17 Section 5112. Repeals. 18 All acts and parts of acts are repealed insofar as they are 19 inconsistent with this act. 20 Section 5113. Effective date. 21 This act shall take effect in 90 days. E5L01MRD/20010H1822B2360 - 38 -