Volume 22 Number 21, November 19, 2002
(Excerpted From Page 1)
HS BILL CREATES SENIOR PRIVACY OFFICER;
CENTRALIZES AIRLINE, IMMIGRATION DATABASES
Legislation to create a Dept. of Homeland
Security is expected to improve federal ability to engage in electronic
and database surveillance and to crack down on computer hackers.
On the other hand, the bill includes what might be the first statutorily
created, senior privacy officer charged with conducting privacy
impact assessments and other duties. It also would ban a contemplated
federal spy program, enlisting the help of everyone from Postal
carriers to utility workers, called TIPS.
The measure, which is expected to be passed
by the Senate November 19 and later signed by President Bush, also
would exempt from Freedom of Information Act disclosure records
provided voluntarily by companies that relate to the nation's "critical
infrastructure." The defeat of proposed amendments by Senate Democrats
meant that the bill would also exempt the new department's advisory
committees from an open meetings law, the Federal Advisory Committee
Contrary to some published reports, the bill contains
no authorization for a "Total
Information Awareness," a comprehensive data-mining
effort proposed by the Pentagon that would break down long-established
barriers against domestic surveillance (see story below).
But the proposed agency would combine several surveillance
efforts under one roof, from airline-passenger screening programs
to immigration databases and criminal financial investigations.
An office would oversee and coordinate their efforts.
The House added a measure that would boost penalties
for cyber crimes and make it easier for Internet providers to report
suspicious activity on their networks. Hackers could face life in
prison if their activities were found to put human lives at risk,
while Internet providers could hand over logs of customer activity
without fear of lawsuits.
The Secretary of Homeland Security would "appoint
a senior official . . . to assume primary responsibility for privacy
- Assuring that the use of technologies sustain,
and do not erode, privacy protections relating to the use, collection,
and disclosure of personal information;
- Assuring that personal information contained
in Privacy Act systems of records is handled in full compliance
with fair information practices as set out in the Privacy Act
- Evaluating legislative and regulatory proposals
involving collection, use, and disclosure of personal information
by the Federal Government;
- Conducting a privacy impact assessment of proposed
rules of the dept. or that of the Department on the privacy of
personal information, including the type of personal information
collected and the number of people affected;
- Preparing a report to Congress on an annual basis
on activities of the Department that affect privacy, including
complaints of privacy violations, implementation of the Privacy
Act of 1974, internal controls, and other matters."
Recognizing the sensitive nature of anti-terrorist
data, the bill would require the new
Secretary to limit re-dissemination of such data
and to ensure that they are not used for an unauthorized purpose,
and to ensure their security and confidentiality. The Secretary
would also be tasked with protecting the constitutional and statutory
rights of any individuals who are subjects of such information;
and providing data integrity through the timely removal and destruction
of obsolete or erroneous names and information.
In terms of dissemination, the department could
issue alerts and advisories, but could withhold "information that
is proprietary, business sensitive, relates specifically to the
submitting person or entity, or is otherwise not appropriately in
the public domain." The FOIA exemption for critical infrastructure
data extends to state openness laws and to disclosure in civil discovery.
The legislation imposes on each federal agency new
information security duties in the form of a "Federal Information
Security Management Act." It creates a coordinating director within
the Administration. While it recognizes the utility of commercial
products, the statute adds, "The selection of specific technical
hardware and software information security solutions should be left
to individual agencies from among commercially developed products."
The bill's text is available at http://news.findlaw.com/hdocs/docs/terrorism/hr5710homsecbil.pdf
Senior privacy officer section (Pages 49-50); FOIA
and CII (Pages 42-44); information security standards (Pages 323-330).