PRINTER'S NO. 971
No. 842 Session of 2001
INTRODUCED BY CORMAN, BRIGHTBILL, ORIE, TILGHMAN, BOSCOLA,
KUKOVICH, MOWERY, MUSTO, O'PAKE, RHOADES, SCHWARTZ,
TARTAGLIONE, M. WHITE AND GREENLEAF, MAY 7, 2001
REFERRED TO COMMUNICATIONS AND HIGH TECHNOLOGY, MAY 7, 2001
AN ACT
1 Establishing the Bureau of Privacy Protection within the Office
2 of Attorney General; providing for its powers and duties;
3 requiring State agencies to develop and implement permanent
4 privacy policies; and requiring an annual report to the
5 General Assembly.
6 The General Assembly of the Commonwealth of Pennsylvania
7 hereby enacts as follows:
8 Section 1. Short title.
9 This act shall be known and may be cited as the Personal
10 Information and Privacy Protection Act.
11 Section 2. Definitions.
12 The following words and phrases when used in this act shall
13 have the meanings given to them in this section unless the
14 context clearly indicates otherwise:
15 "Bureau." The Bureau of Privacy Protection within the Office
16 of Attorney General.
17 "Personal information." Any information that would reveal a
18 person's identity. This includes, but is not limited to, name,
19 date of birth, Social Security number, address and telephone
1 number.
2 "State agency." Any administrative department, board or
3 commission and any independent administrative department, board
4 or commission of the executive branch. The term also includes
5 any university in this Commonwealth that is designated as State-
6 related by the Commonwealth and any university within the State
7 System of Higher Education.
8 Section 3. Bureau of Privacy Protection.
9 (a) Establishment.--There is hereby established in the
10 Office of Attorney General a bureau to be known as the Bureau of
11 Privacy Protection. The bureau shall be under the direction of
12 the Attorney General or his designee. The bureau shall protect
13 the privacy of individuals' personal information in a manner
14 consistent with the laws of this Commonwealth by identifying and
15 responding to consumer problems and complaints in the privacy
16 area and facilitating development of fair information practices
17 consistent with the goals set forth in this section.
18 (b) Duties.--The bureau shall:
19 (1) Inform the public of potential options for
20 protecting the privacy of and avoiding the misuse of personal
21 information.
22 (2) Make recommendations to organizations for privacy
23 policies and practices that promote and protect the interests
24 of consumers in this Commonwealth.
25 (3) If it decides to do so, promote voluntary and
26 mutually agreed-upon nonbinding arbitration and mediation of
27 privacy-related disputes where appropriate.
28 (c) Duties of Attorney General.--The Attorney General or his
29 designee shall:
30 (1) Receive complaints from individuals concerning any
20010S0842B0971 - 2 -
1 persons' obtaining, compiling, maintaining, using, disclosing
2 or disposing of personal information in a manner that may be
3 potentially unlawful or violate a stated privacy policy
4 relating to that individual and shall provide advice,
5 information and referral where available.
6 (2) Provide information to consumers on effective ways
7 of handling complaints that involve violations of privacy-
8 related laws, including identity theft and identity fraud.
9 Where appropriate Federal, State or local agencies are
10 available to assist consumers with those complaints, the
11 Attorney General shall refer those complaints to those
12 agencies.
13 (3) Develop information and educational programs and
14 materials to foster public understanding and recognition of
15 the purposes of this section.
16 (4) Investigate and assist in the prosecution of
17 identity theft and other privacy-related crimes and, as
18 necessary, coordinate with Federal, State and local law
19 enforcement agencies in the investigation of similar crimes.
20 (5) Assist and coordinate in the training of Federal,
21 State and local law enforcement agencies regarding identity
22 theft and other privacy-related crimes, as appropriate.
23 (6) Coordinate with State agencies to establish a
24 Statewide privacy policy and, in so doing, shall respect the
25 particular circumstances of each State agency.
26 Section 4. State agency permanent privacy policy.
27 (a) General rule.--Each State agency shall develop and
28 implement in conjunction with the Office of Information
29 Technology under the Office of Administration a permanent
30 privacy policy that includes, but is not limited to, the
20010S0842B0971 - 3 -
1 following principles:
2 (1) Personally identifiable information is only obtained
3 through lawful means.
4 (2) The purposes for which personally identifiable data
5 are collected are specified at or prior to the time of
6 collection and any subsequent use is limited to the
7 fulfillment of purposes not inconsistent with those purposes
8 previously specified.
9 (3) Personal data shall not be disclosed, made available
10 or otherwise used for purposes other than those specified,
11 except with the express written consent of the subject of the
12 data or as authorized by law or regulation.
13 (4) Personal data collected must be relevant to the
14 purpose for which it is collected.
15 (5) The general means by which personal data is
16 protected against loss, unauthorized access, use modification
17 or disclosure shall be posted, unless such disclosure of
18 general means would compromise legitimate State agency
19 objectives or law enforcement purposes.
20 (6) Each State agency shall designate a position within
21 the State agency, the duties of which shall include, but not
22 be limited to, responsibility for the privacy policy within
23 that State agency.
24 (b) Rules and regulations.--The Office of Administration in
25 conjunction within the Office of Information Technology may
26 promulgate rules and regulations to administer and enforce this
27 section.
28 Section 5. Report to General Assembly.
29 Commencing in 2003, the Attorney General or his designee
30 shall report to the General Assembly on an annual basis, on or
20010S0842B0971 - 4 -
1 before January 31, detailing the activities engaged in by the
2 bureau under this act.
3 Section 6. Commencement of activities.
4 The bureau shall commence activities under this act no later
5 than January 1, 2002.
6 Section 7. Effective date.
7 This act shall take effect in 60 days.
D10L71SFL/20010S0842B0971 - 5 -