PRINTER'S NO. 971
No. 842 Session of 2001
INTRODUCED BY CORMAN, BRIGHTBILL, ORIE, TILGHMAN, BOSCOLA, KUKOVICH, MOWERY, MUSTO, O'PAKE, RHOADES, SCHWARTZ, TARTAGLIONE, M. WHITE AND GREENLEAF, MAY 7, 2001
REFERRED TO COMMUNICATIONS AND HIGH TECHNOLOGY, MAY 7, 2001
AN ACT 1 Establishing the Bureau of Privacy Protection within the Office 2 of Attorney General; providing for its powers and duties; 3 requiring State agencies to develop and implement permanent 4 privacy policies; and requiring an annual report to the 5 General Assembly. 6 The General Assembly of the Commonwealth of Pennsylvania 7 hereby enacts as follows: 8 Section 1. Short title. 9 This act shall be known and may be cited as the Personal 10 Information and Privacy Protection Act. 11 Section 2. Definitions. 12 The following words and phrases when used in this act shall 13 have the meanings given to them in this section unless the 14 context clearly indicates otherwise: 15 "Bureau." The Bureau of Privacy Protection within the Office 16 of Attorney General. 17 "Personal information." Any information that would reveal a 18 person's identity. This includes, but is not limited to, name, 19 date of birth, Social Security number, address and telephone
1 number. 2 "State agency." Any administrative department, board or 3 commission and any independent administrative department, board 4 or commission of the executive branch. The term also includes 5 any university in this Commonwealth that is designated as State- 6 related by the Commonwealth and any university within the State 7 System of Higher Education. 8 Section 3. Bureau of Privacy Protection. 9 (a) Establishment.--There is hereby established in the 10 Office of Attorney General a bureau to be known as the Bureau of 11 Privacy Protection. The bureau shall be under the direction of 12 the Attorney General or his designee. The bureau shall protect 13 the privacy of individuals' personal information in a manner 14 consistent with the laws of this Commonwealth by identifying and 15 responding to consumer problems and complaints in the privacy 16 area and facilitating development of fair information practices 17 consistent with the goals set forth in this section. 18 (b) Duties.--The bureau shall: 19 (1) Inform the public of potential options for 20 protecting the privacy of and avoiding the misuse of personal 21 information. 22 (2) Make recommendations to organizations for privacy 23 policies and practices that promote and protect the interests 24 of consumers in this Commonwealth. 25 (3) If it decides to do so, promote voluntary and 26 mutually agreed-upon nonbinding arbitration and mediation of 27 privacy-related disputes where appropriate. 28 (c) Duties of Attorney General.--The Attorney General or his 29 designee shall: 30 (1) Receive complaints from individuals concerning any 20010S0842B0971 - 2 -
1 persons' obtaining, compiling, maintaining, using, disclosing 2 or disposing of personal information in a manner that may be 3 potentially unlawful or violate a stated privacy policy 4 relating to that individual and shall provide advice, 5 information and referral where available. 6 (2) Provide information to consumers on effective ways 7 of handling complaints that involve violations of privacy- 8 related laws, including identity theft and identity fraud. 9 Where appropriate Federal, State or local agencies are 10 available to assist consumers with those complaints, the 11 Attorney General shall refer those complaints to those 12 agencies. 13 (3) Develop information and educational programs and 14 materials to foster public understanding and recognition of 15 the purposes of this section. 16 (4) Investigate and assist in the prosecution of 17 identity theft and other privacy-related crimes and, as 18 necessary, coordinate with Federal, State and local law 19 enforcement agencies in the investigation of similar crimes. 20 (5) Assist and coordinate in the training of Federal, 21 State and local law enforcement agencies regarding identity 22 theft and other privacy-related crimes, as appropriate. 23 (6) Coordinate with State agencies to establish a 24 Statewide privacy policy and, in so doing, shall respect the 25 particular circumstances of each State agency. 26 Section 4. State agency permanent privacy policy. 27 (a) General rule.--Each State agency shall develop and 28 implement in conjunction with the Office of Information 29 Technology under the Office of Administration a permanent 30 privacy policy that includes, but is not limited to, the 20010S0842B0971 - 3 -
1 following principles: 2 (1) Personally identifiable information is only obtained 3 through lawful means. 4 (2) The purposes for which personally identifiable data 5 are collected are specified at or prior to the time of 6 collection and any subsequent use is limited to the 7 fulfillment of purposes not inconsistent with those purposes 8 previously specified. 9 (3) Personal data shall not be disclosed, made available 10 or otherwise used for purposes other than those specified, 11 except with the express written consent of the subject of the 12 data or as authorized by law or regulation. 13 (4) Personal data collected must be relevant to the 14 purpose for which it is collected. 15 (5) The general means by which personal data is 16 protected against loss, unauthorized access, use modification 17 or disclosure shall be posted, unless such disclosure of 18 general means would compromise legitimate State agency 19 objectives or law enforcement purposes. 20 (6) Each State agency shall designate a position within 21 the State agency, the duties of which shall include, but not 22 be limited to, responsibility for the privacy policy within 23 that State agency. 24 (b) Rules and regulations.--The Office of Administration in 25 conjunction within the Office of Information Technology may 26 promulgate rules and regulations to administer and enforce this 27 section. 28 Section 5. Report to General Assembly. 29 Commencing in 2003, the Attorney General or his designee 30 shall report to the General Assembly on an annual basis, on or 20010S0842B0971 - 4 -
1 before January 31, detailing the activities engaged in by the 2 bureau under this act. 3 Section 6. Commencement of activities. 4 The bureau shall commence activities under this act no later 5 than January 1, 2002. 6 Section 7. Effective date. 7 This act shall take effect in 60 days. D10L71SFL/20010S0842B0971 - 5 -