PRINTER'S NO. 2360
No. 1822 Session of 2001
INTRODUCED BY ARMSTRONG, THOMAS, RAYMOND AND TIGUE,
JUNE 21, 2001
REFERRED TO COMMITTEE ON INTERGOVERNMENTAL AFFAIRS,
JUNE 21, 2001
AN ACT
1 Providing for protection of personal information in the private
2 sector, for collection, disclosure and use of personal
3 information, for written request, for access, for sensory
4 disability, for remedies, for complaints, for reports, for
5 hearings, for audits, for compliance, for findings and
6 recommendations, for accountability, for consent, for
7 accuracy, for safeguards, for openness, for compliance, for
8 confidentiality, for witnesses, for authority and duty of
9 Attorney General, for consultation with other states and
10 Federal Government, for annual report, for regulations, for
11 whistleblowing, for review by Senate and House of
12 Representatives committees and for repeals.
13 Chapter 1. Preliminary Provisions
14 Section 101. Short title.
15 Section 102. Definitions.
16 Section 103. Purpose.
17 Section 104. Application.
18 Chapter 3. Protection of Personal Information
19 Section 301. General rules.
20 Section 302. Collection of personal information.
21 Section 303. Use of personal information.
22 Section 304. Disclosure without knowledge or consent.
1 Section 305. Use without consent.
2 Section 306. Disclosure without consent.
3 Section 307. Written request.
4 Section 308. When access prohibited.
5 Section 309. When access may be refused.
6 Section 310. Sensory disability.
7 Chapter 5. Remedies
8 Section 501. Complaints.
9 Section 502. Investigations of complaints.
10 Section 503. Report.
11 Section 504. Hearing by court.
12 Section 505. Complaints not initiated by Attorney General.
13 Section 506. Remedies.
14 Section 507. Summary hearings.
15 Chapter 7. Audits
16 Section 701. To ensure compliance.
17 Section 702. Report of findings and recommendations.
18 Chapter 9. Principles
19 Section 901. Accountability.
20 Section 902. Identifying purposes.
21 Section 903. Consent.
22 Section 904. Limiting collection.
23 Section 905. Limiting use, disclosure and retention.
24 Section 906. Accuracy.
25 Section 907. Safeguards.
26 Section 908. Openness.
27 Section 909. Individual access.
28 Section 910. Challenging compliance.
29 Chapter 51. General Provisions
30 Section 5101. Confidentiality.
20010H1822B2360 - 2 -
1 Section 5102. Not competent witness.
2 Section 5103. Protection of Attorney General.
3 Section 5104. Consultation with other states and Federal
4 Government.
5 Section 5105. Promotion of purposes of act.
6 Section 5106. Annual report.
7 Section 5107. Regulations.
8 Section 5108. Whistleblowing.
9 Section 5109. Review by Senate and House of Representatives
10 committees.
11 Section 5110. Application.
12 Section 5111. Penalty.
13 Section 1512. Repeals.
14 Section 1513. Effective date.
15 The General Assembly of the Commonwealth of Pennsylvania
16 hereby enacts as follows:
17 CHAPTER 1
18 PRELIMINARY PROVISIONS
19 Section 101. Short title.
20 This act shall be known and may be cited as the Protection of
21 Personal Information Act.
22 Section 102. Definitions.
23 The following words and phrases when used in this act shall
24 have the meanings given to them in this section unless the
25 context clearly indicates otherwise:
26 "Alternative format." With respect to personal information,
27 the term means a format that allows a person with a sensory
28 disability to read or listen to the personal information.
29 "Commercial activity." Any transaction, act or conduct or
30 any regular course of conduct that is of a commercial character,
20010H1822B2360 - 3 -
1 including the selling, bartering or leasing of donor, membership
2 or other fundraising lists.
3 "Organization." The term includes a corporation, partnership
4 and association.
5 "Person." The term includes a corporation, partnership and
6 association, as well as an individual.
7 "Personal health information." With respect to an
8 individual, whether living or deceased, the term includes:
9 (1) Information concerning the physical or mental health
10 of the individual.
11 (2) Information concerning any health service provided
12 to the individual.
13 (3) Information concerning the donation by the
14 individual of any body part or any bodily substance of the
15 individual or information derived from the testing or
16 examination of a body part or bodily substance of the
17 individual.
18 (4) Information collected in the course of providing
19 health services to the individual.
20 (5) Information collected incidentally to the provision
21 of health services to the individual.
22 "Personal information." Information about an identifiable
23 individual, not including the name, title or business address or
24 telephone number of an employee of an organization.
25 "Record." Any correspondence, memorandum, book, plan, map,
26 drawing, diagram, pictorial or graphic work, photograph, film,
27 microfilm, sound recording, videotape or machine-readable record
28 and any other documentary material, regardless of physical form
29 or characteristics, and any copy of any of the foregoing.
30 Section 103. Purpose.
20010H1822B2360 - 4 -
1 The purpose of this act is to establish, in an era in which
2 technology increasingly facilitates the circulation and exchange
3 of information, rules to govern the collection, use and
4 disclosure of personal information in a manner that recognizes
5 the right of privacy of individuals with respect to their
6 personal information and the need of organizations to collect,
7 use or disclose personal information for purposes that a
8 reasonable person would consider appropriate in the
9 circumstances.
10 Section 104. Application.
11 (a) General rule.--This act applies to every person with
12 respect to personal information that:
13 (1) the person collects, uses or discloses in the course
14 of commercial activities; or
15 (2) is about an employee of the person and that the
16 person collects, uses or discloses in connection with the
17 operation of any work, undertaking or business.
18 (b) Exceptions.--This act does not apply to:
19 (1) An individual with respect to personal information
20 that the individual collects, uses or discloses for personal
21 or domestic purposes and does not collect, use or disclose
22 for any other purpose.
23 (2) A person with respect to personal information that
24 the person collects, uses or discloses for journalistic,
25 artistic or literary purposes and does not collect, use or
26 disclose for any other purpose.
27 (3) Every provision of this act applies notwithstanding
28 any provision of an act enacted after the effective date of
29 this act, unless the later act expressly provides that the
30 provision operates notwithstanding the provision of this act.
20010H1822B2360 - 5 -
1 CHAPTER 3
2 PROTECTION OF PERSONAL INFORMATION
3 Section 301. General rules.
4 (a) Purposes.--A person may collect, use or disclose
5 personal information only for purposes that a reasonable
6 individual would consider appropriate in the circumstances.
7 (b) Obligation of organization.--The designation of an
8 individual under section 901 does not relieve the organization
9 of the obligation to comply with the obligations set out in
10 Chapter 9.
11 Section 302. Collection of personal information.
12 For the purpose of section 903, and notwithstanding the
13 provisions of section 903(1), a person may collect personal
14 information without the knowledge or consent of the individual
15 only if:
16 (1) The collection is clearly in the interests of the
17 individual and consent cannot be obtained in a timely manner.
18 (2) It is reasonable to expect that the collection with
19 the knowledge or consent of the individual would compromise
20 the availability or the accuracy of the information and the
21 collection is reasonable for purposes related to
22 investigating a breach or an agreement or a contravention of
23 the laws of this Commonwealth or the United States.
24 (3) The collection is solely for journalistic, artistic
25 or literary purposes.
26 (4) The information is publicly available.
27 Section 303. Use of personal information.
28 For the purpose of section 903, and notwithstanding the
29 provisions of section 903(1), a person may, without the
30 knowledge or consent of the individual, use personal information
20010H1822B2360 - 6 -
1 only if:
2 (1) in the course of its activities, the person becomes
3 aware of information that it has reasonable grounds to
4 believe could be useful in the investigation of a
5 contravention of the laws of this Commonwealth or the United
6 States that has been, is being or is about to be committed,
7 and the information is used for the purpose of investigating
8 that contravention;
9 (2) it is used for the purpose of acting with respect to
10 an emergency that threatens the life, health or security of
11 an individual;
12 (3) it is used for statistical or scholarly study or
13 research purposes that cannot be achieved without using the
14 information, the information is used in a manner that will
15 ensure its confidentiality, it is impracticable to obtain
16 consent, and the organization informs the Attorney General of
17 the use before the information is used;
18 (4) it is publicly available; or
19 (5) it was collected under section 302(1) or (2).
20 Section 304. Disclosure without knowledge or consent.
21 For the purpose of section 503, and notwithstanding the
22 provisions of section 903(1), a person may disclose personal
23 information without the knowledge or consent of the individual
24 only if the disclosure is:
25 (1) made to an attorney who is representing the person;
26 (2) for the purpose of collecting a debt owed by the
27 individual to the person;
28 (3) required to comply with a subpoena or warrant issued
29 or an order made by a court with jurisdiction to compel the
30 production of information or to comply with rules of court
20010H1822B2360 - 7 -
1 relating to the production of records;
2 (4) made to a government institution or part of a
3 government institution that has made a request for the
4 information, identified its lawful authority to obtain the
5 information and indicated that:
6 (i) it suspects that the information relates to
7 national security or the conduct of international
8 affairs;
9 (ii) the disclosure is requested for the purpose of
10 enforcing any law of this Commonwealth or the United
11 States, carrying out an investigation relating to the
12 enforcement of any such law or gathering intelligence for
13 the purpose of enforcing any such law; or
14 (iii) the disclosure is requested for the purpose of
15 administering any law of this Commonwealth or the United
16 States;
17 (5) made on the initiative of the person to an
18 investigative body, a government institution or a part of a
19 government institution and the person:
20 (i) has reasonable grounds to believe that the
21 information relates to a breach of an agreement or a
22 contravention of laws of this Commonwealth or the United
23 States that has been, is being or is about to be
24 committed; or
25 (ii) suspects that the information relates to
26 national security or the conduct of international
27 affairs;
28 (6) made to a person who needs the information because
29 of an emergency that threatens the life, health or security
30 of an individual and, if the individual about whom the
20010H1822B2360 - 8 -
1 information exists is alive, the person informs that
2 individual of the disclosure in writing without delay;
3 (7) for statistical or scholarly study or research
4 purposes that cannot be achieved without disclosing the
5 information, it is impracticable to obtain consent and the
6 person informs the Attorney General of the disclosure before
7 the information is disclosed;
8 (8) made to an institution whose functions include the
9 conservation of records of historic or archival importance
10 and the disclosure is made for the purpose of such
11 conservation;
12 (9) made after the earlier of 100 years after the record
13 containing the information was created or 20 years after the
14 death of the individual about whom the information exists;
15 (10) of information that is publicly available;
16 (11) made by an investigative body and the disclosure is
17 reasonable for purposes related to investigating a breach of
18 an agreement or a contravention of the laws of this
19 Commonwealth or the United States; or
20 (12) required by law.
21 Section 305. Use without consent.
22 Notwithstanding section 505, a person may use personal
23 information for purposes other than those for which it was
24 collected in any of the circumstances set out in section 303.
25 Section 306. Disclosure without consent.
26 Notwithstanding section 905, a person may disclose personal
27 information for purposes other than those for which it was
28 collected in any of the circumstances set out in section 304(1)
29 through (9).
30 Section 307. Written request.
20010H1822B2360 - 9 -
1 (a) Request in writing.--A request under section 909 must be
2 made in writing.
3 (b) Assistance.--A person must assist any individual who
4 informs the person that assistance is needed in preparing a
5 request to the person.
6 (c) Time limit.--A person shall respond to a request with
7 due diligence and in any case not later than 30 days after
8 receipt of the request.
9 (d) Extension of time.--A person may extend the time limit:
10 (1) for a maximum of 30 days if:
11 (i) meeting the time limit would unreasonably
12 interfere with the activities of the person; or
13 (ii) the time required to undertake any
14 consultations necessary to respond to the request would
15 make the time limit impracticable to meet; or
16 (2) for the period that is necessary in order to be able
17 to convert the personal information into an alternative
18 format.
19 In either case, the person shall, no later than 30 days after
20 the date of the request, send a notice of extension to the
21 individual advising the individual of the new time limit, the
22 reasons for extending the time limit and the individual's right
23 to make a complaint to the Attorney General concerning the
24 extension.
25 (e) Deemed refusal.--If the person fails to respond within
26 the time limit, the person is deemed to have refused the
27 request.
28 (f) Costs for responding.--A person may respond to an
29 individual's request at a cost to the individual only if:
30 (1) the person has informed the individual of the
20010H1822B2360 - 10 -
1 approximate cost; and
2 (2) the individual has advised the person that the
3 request is not being withdrawn.
4 (g) Reasons.--A person that responds within the time limit
5 and refuses a request shall inform the individual in writing of
6 the refusal, setting out the reasons and any recourse that the
7 individual may have under this act.
8 (h) Retention of information.--Notwithstanding section 905,
9 a person that has personal information that is the subject of a
10 request shall retain the information for as long as necessary to
11 allow the individual to exhaust any recourse available under
12 this act.
13 Section 308. When access prohibited.
14 (a) General rule.--Notwithstanding section 909, a person
15 shall not give an individual access to personal information if
16 doing so would likely reveal personal information about a third
17 party. However, if the information about the third party is
18 severable from the record containing the information about the
19 individual, the person shall sever the information about the
20 third party before giving the individual access.
21 (b) Exception.--Subsection (a) does not apply if the third
22 party consents to the access or the individual needs the
23 information because an individual's life, health or security is
24 threatened.
25 (c) Information related to section 304(3), (4) and (5).--
26 (1) A person shall comply with subsection (b) if an
27 individual requests that the organization:
28 (i) inform the individual about:
29 (A) any disclosure of information to a
30 government institution or a part of a government
20010H1822B2360 - 11 -
1 institution under section 304(3), (4)(i) or (ii) or
2 (5); or
3 (B) the existence of any information that the
4 person has relating to a disclosure referred to in
5 this subparagraph, to a subpoena, warrant or order
6 referred to in section 304(3) or to a request made by
7 a government institution or a part of a government
8 institution under section 304(4)(i) or (ii); or
9 (ii) give the individual access to the information
10 referred to in subparagraph (i)(B).
11 (2) An organization to which paragraph (1) applies:
12 (i) shall, in writing and without delay, notify the
13 institution or party concerned of the request made by the
14 individual; and
15 (ii) shall not respond to the request before the
16 earlier of:
17 (A) the day on which it is notified under
18 paragraph (3); or
19 (B) 30 days after the day on which the
20 institution or party was notified.
21 (3) Within 30 days after the day on which it is notified
22 under subsection (b), the institution or party shall notify
23 the organization as to whether the institution or party
24 objects to the organization's complying with the request. The
25 institution or party may object only if the institution or
26 party is of the opinion that compliance with the request
27 could reasonably be expected to be injurious to:
28 (i) national security or the conduct of
29 international affairs; or
30 (ii) the enforcement of any law of the United States
20010H1822B2360 - 12 -
1 or of this Commonwealth, an investigation relating to the
2 enforcement of any such law or the gathering of
3 intelligence for the purpose of enforcing any such law.
4 (4) Notwithstanding section 509, if a person is notified
5 under paragraph (3) that the institution or party objects to
6 the organization's complying with the request, the person:
7 (i) shall refuse the request to the extent that it
8 relates to paragraph (1)(i) or to information referred to
9 in paragraph (1)(i)(B).
10 (ii) shall notify the Attorney General, in writing
11 and without delay, of the refusal; and
12 (iii) shall not disclose to the individual:
13 (A) any information that the person has relating
14 to a disclosure to a government institution or a part
15 of a government institution under section 304(3),
16 (4)(i) or (ii) or (5) or to a request made by a
17 government institution or a part of a government
18 institution under any of those paragraphs;
19 (B) that the person notified an institution or
20 party under subsection (b)(1) or the Attorney General
21 under subsection (b)(2); or
22 (C) that the institution or party objects.
23 Section 309. When access may be refused.
24 (a) General rule.--Notwithstanding the provisions of section
25 909(1), a person is not required to give access to personal
26 information only if:
27 (1) the information is protected by attorney-client
28 privilege;
29 (2) to do so would reveal confidential commercial
30 information;
20010H1822B2360 - 13 -
1 (3) to do so could reasonably be expected to threaten
2 the life or security of another individual;
3 (4) the information was collected under section 302(2);
4 or
5 (5) the information was generated in the course of a
6 formal dispute resolution process.
7 However, in the circumstances described in paragraph (2) or (3),
8 if giving access to the information would reveal confidential
9 commercial information or could reasonably be expected to
10 threaten the life or security of another individual, and that
11 information is severable from the record containing any other
12 information for which access is requested, the person shall give
13 the individual access after severing the protected information.
14 (b) Limit.--Subsection (a) does not apply if the individual
15 needs the information because an individual's life, health or
16 security is threatened.
17 (c) Notice.--If a person decides not to give access to
18 personal information in the circumstances set out in subsection
19 (a)(4), the person shall so notify the Attorney General in
20 writing and shall include in the notification any information
21 that the Attorney General may specify.
22 Section 310. Sensory disability.
23 An organization shall give access to personal information in
24 an alternative format to an individual with a sensory disability
25 who has a right-of-access to personal information under this act
26 and who requests that it be transmitted in the alternative
27 format if:
28 (1) a version of the information already exists in that
29 format; or
30 (2) its conversion into that format is reasonable and
20010H1822B2360 - 14 -
1 necessary in order for the individual to be able to exercise
2 rights under this act.
3 CHAPTER 5
4 REMEDIES
5 Section 501. Complaints.
6 (a) General rule.--An individual may file with the Attorney
7 General a written complaint against an organization for
8 violating a provision of this act.
9 (b) Attorney General.--If the Attorney General is satisfied
10 that there are reasonable grounds to investigate a matter, the
11 Attorney General may initiate a complaint concerning the matter.
12 (c) Time limit.--A complaint that results from the refusal
13 to grant a request under section 307 must be filed within six
14 months or any longer period that the Attorney General allows
15 after the refusal or after the expiration of the time limit for
16 responding to the request, as the case may be.
17 (d) Notice.--The Attorney General shall give notice of a
18 complaint to the organization against which the complaint was
19 made.
20 Section 502. Investigations of complaints.
21 (a) Powers of Attorney General.--The Attorney General shall
22 investigate a complaint and for that purpose may:
23 (1) Summon and enforce the appearance of persons before
24 the Attorney General and compel them to give oral or written
25 evidence under oath and to produce any records and things
26 that the Attorney General considers necessary to investigate
27 the complaint, in the same manner and to the same extent as a
28 court of record.
29 (2) Administer oaths.
30 (3) Receive and accept any evidence and other
20010H1822B2360 - 15 -
1 information, whether under oath, by affidavit or otherwise,
2 that the Attorney General sees fit, regardless of whether it
3 is or would be admissible in a court of law.
4 (4) At any reasonable time, enter any premises, other
5 than a dwelling house, occupied by a person on satisfying any
6 security requirements of the person relating to the premises.
7 (5) Converse in private with any person in any premises
8 entered under paragraph (4) and otherwise carry out in those
9 premises any inquiries that the Attorney General sees fit.
10 (6) Examine and obtain copies of or extracts from
11 records found in any premises entered under paragraph (4)
12 that contain any matter relevant to the investigation.
13 (b) Dispute resolution mechanisms.--The Attorney General may
14 attempt to resolve complaints by means of dispute resolution
15 mechanisms such as mediation and conciliation.
16 (c) Return of records.--The Attorney General shall return to
17 a person any record or thing that the person produced under this
18 section within ten days after a request is made to the Attorney
19 General, however, nothing precludes the Attorney General from
20 again requiring that the record or thing be produced.
21 Section 503. Report.
22 (a) Contents.--The Attorney General shall, within one year
23 after the day on which a complaint is filed or is initiated by
24 the Attorney General, prepare a report that contains:
25 (1) The Attorney Generals's findings and
26 recommendations.
27 (2) Any settlement that was reached by the parties.
28 (3) If appropriate, a request that the organization give
29 the Attorney General, within a specified time, notice of any
30 action taken or proposed to be taken to implement the
20010H1822B2360 - 16 -
1 recommendations contained in the report or reasons why no
2 such action has been or is proposed to be taken.
3 (4) The recourse, if any, that is available under
4 section 504.
5 (b) When no report is required.--
6 (1) The Attorney General is not required to prepare a
7 report if the Attorney General is satisfied that:
8 (i) the complainant should first exhaust grievance
9 or review procedures otherwise reasonably available;
10 (ii) the complaint could more appropriately be dealt
11 with, initially or completely, by means of a procedure
12 provided for under the laws of this Commonwealth other
13 than this act or the laws of the United States;
14 (iii) the length of time that has elapsed between
15 the date when the subject matter of the complaint arose
16 and the date when the complaint was filed is such that a
17 report would not serve a useful purpose; or
18 (iv) the complaint is trivial, frivolous or
19 vexatious or is made in bad faith.
20 (2) If a report is not to be prepared, the Attorney
21 General shall inform the complainant and the person and
22 explain why a report was not prepared.
23 (c) Report to parties.--The report shall be sent to the
24 complainant and the person without delay.
25 Section 504. Hearing by court.
26 (a) Application.--A complainant may, after receiving the
27 Attorney General's report, apply to the Commonwealth Court for a
28 hearing on any matter with respect to which the complaint was
29 made, or that is referred to in the Attorney General's report,
30 and that is referred to in section 901(3), 902, 903(4), 904,
20010H1822B2360 - 17 -
1 906, 907 or 908; in section 903, 905 or 909 as modified or
2 clarified in sections 301(a) or 307(f) or (g); or in section
3 310.
4 (b) Time of application.--The application must be made
5 within 45 days after the report is sent or within any further
6 time that the court may, either before or after the expiration
7 of 45 days, allow.
8 (c) Applications of subsections (a) and (b).--Subsections
9 (a) and (b) also apply to complaints referred to in section 501.
10 Section 505. Complaints not initiated by Attorney General.
11 The Attorney General may, concerning a complaint that the
12 Attorney General did not initiate:
13 (1) apply to the Commonwealth Court, within the time
14 limited by section 504, for a hearing relating to any matter
15 described in that section, if the Attorney General has the
16 consent of the complainant;
17 (2) appear before the Commonwealth Court on behalf of
18 any complainant who has applied for hearing under section
19 504; or
20 (3) with leave of the Commonwealth Court, appear as a
21 party to any hearing applied for under section 504.
22 Section 506. Remedies.
23 The Commonwealth Court may, in addition to any other remedies
24 it may give:
25 (1) order a person to correct its practices in order to
26 comply with sections 301 through 310;
27 (2) order a person to publish a notice of any action
28 taken or proposed to be taken to correct its practices,
29 regardless of whether ordered to correct them under paragraph
30 (1); and
20010H1822B2360 - 18 -
1 (3) award damages to the complainant, including damages
2 for any humiliation that the complainant has suffered.
3 Section 507. Summary hearings.
4 (a) General rule.--An application made under section 504 or
5 505 shall be heard and determined without delay and in a summary
6 way unless the Commonwealth Court considers it inappropriate to
7 do so.
8 (b) Precautions.--In any proceeding arising from an
9 application made under section 504 or 505, the Commonwealth
10 Court shall take every reasonable precaution, including when
11 appropriate, receiving representations ex parte and conducting
12 hearings in camera, to avoid the disclosure by the court or any
13 person of any information or other material that the person
14 would be authorized to refuse to disclose if it were requested
15 under section 909.
16 CHAPTER 7
17 AUDITS
18 Section 701. To ensure compliance.
19 (a) General rule.--The Attorney General may, on reasonable
20 notice and at any reasonable time, audit the personal
21 information management practices of an organization if the
22 Attorney General has reasonable grounds to believe that the
23 organization is violating a provision of this act and for that
24 purpose may:
25 (1) Summon and enforce the appearance of persons before
26 the Attorney General and compel them to give oral or written
27 evidence under oath and to produce any records and things
28 that the Attorney General considers necessary for the audit,
29 in the same manner and to the same extent as a court of
30 record.
20010H1822B2360 - 19 -
1 (2) Administer oaths.
2 (3) Receive and accept any evidence and other
3 information, whether under oath, by affidavit or otherwise,
4 that the Attorney General sees fit, regardless of whether it
5 is or would be admissible in a court of law.
6 (4) At any reasonable time, enter any premises, other
7 than a dwelling house, occupied by the person on satisfying
8 any security requirements of the person relating to the
9 premises.
10 (5) Converse in private with any person in any premises
11 entered under paragraph (4) and otherwise carry out in those
12 premises any inquiries that the Attorney General sees fit.
13 (6) Examine or obtain copies of or extracts from records
14 found in any premises entered under paragraph (4) that
15 contain any matter relevant to the audit.
16 (b) Return of records.--The Attorney General shall return to
17 a person any record or thing produced by the person under this
18 section within ten days after the person makes a request to the
19 Attorney General, but nothing precludes the Attorney General
20 from again requiring that the record or thing be produced.
21 Section 702. Report of findings and recommendations.
22 (a) General rule.--After an audit, the Attorney General
23 shall provide the audited organization with a report that
24 contains the findings of the audit and any recommendations that
25 the Attorney General considers appropriate.
26 (b) Inclusion in annual reports.--The report may be included
27 in a report made under section 5106.
28 CHAPTER 9
29 PRINCIPLES
30 Section 901. Accountability.
20010H1822B2360 - 20 -
1 An organization is responsible for personal information under
2 its control and shall designate an individual or individuals who
3 are accountable for the organization's compliance with the
4 following:
5 (1) Accountability for the organization's compliance
6 with the principles of this chapter rests with the designated
7 individual or individuals, even if other individuals within
8 the organization may be responsible for the day-to-day
9 collection and processing of personal information. In
10 addition, other individuals within the organization may be
11 delegated to act on behalf of the designated individual or
12 individuals.
13 (2) The identity of the individual or individuals
14 designated by the organization to oversee the organization's
15 compliance with the principles of this chapter shall be made
16 known upon request.
17 (3) An organization is responsible for personal
18 information in its possession or custody, including
19 information that has been transferred to a third party for
20 processing. The organization shall use contractual or other
21 means to provide a comparable level of protection while the
22 information is being processed by a third party.
23 (4) Organizations shall implement policies and practices
24 to give effect to the principles of this chapter, including:
25 (i) Implementing procedures to protect personal
26 information.
27 (ii) Establishing procedures to receive and respond
28 to complaints and inquiries.
29 (iii) Training staff and communicating to staff
30 information about the organization's policies and
20010H1822B2360 - 21 -
1 practices.
2 (iv) Developing information to explain the
3 organization's policies and procedures.
4 Section 902. Identifying purposes.
5 The purposes for which personal information is collected
6 shall be identified by the organization at or before the time
7 the information is collected, as follows:
8 (1) The organization shall document the purposes for
9 which personal information is collected in order to comply
10 with the openness principle (section 908) and the individual
11 access principle (section 909).
12 (2) Identifying the purposes for which personal
13 information is collected at or before the time of collection
14 allows organizations to determine the information they need
15 to collect to fulfill these purposes. The limiting collection
16 principle (section 904) allows an organization to collect
17 only that information necessary for the purposes that have
18 been identified.
19 (3) The identified purposes should be specified at or
20 before the time of collection to the individual from whom the
21 personal information is collected. Depending upon the way in
22 which the information is collected, this can be done orally
23 or in writing. An application form, for example, may give
24 notice of the purposes.
25 (4) When personal information that has been collected is
26 to be used for a purpose not previously identified, the new
27 purpose shall be identified prior to use. Unless the new
28 purpose is required by law, the consent of the individual is
29 required before information can be used for that purpose. For
30 an elaboration on consent, see the consent principle (section
20010H1822B2360 - 22 -
1 903).
2 (5) Persons collecting personal information should be
3 able to explain to individuals the purposes for which the
4 information is being collected.
5 Section 903. Consent.
6 The knowledge and consent of the individual are required for
7 the collection, use or disclosure of personal information,
8 except where inappropriate:
9 (1) In certain circumstances personal information can be
10 collected, used or disclosed without the knowledge and
11 consent of the individual. For example, legal, medical or
12 security reasons may make it impossible or impractical to
13 seek consent. When information is being collected for the
14 detection and prevention of fraud or for law enforcement,
15 seeking the consent of the individual might defeat the
16 purpose of collecting the information. Seeking consent may be
17 impossible or inappropriate when the individual is a minor,
18 seriously ill or mentally incapacitated. In addition,
19 organizations that do not have a direct relationship with the
20 individual may not always be able to seek consent. For
21 example, seeking consent may be impractical for a charity or
22 a direct-marketing firm that wishes to acquire a mailing list
23 from another organization. In such cases, the organization
24 providing the list would be expected to obtain consent before
25 disclosing personal information.
26 (2) Consent is required for the collection of personal
27 information and the subsequent use or disclosure of this
28 information. Typically, an organization will seek consent for
29 the use or disclosure of the information at the time of
30 collection. In certain circumstances, consent with respect to
20010H1822B2360 - 23 -
1 use or disclosure may be sought after the information has
2 been collected, but before use; for example, when an
3 organization wants to use information for a purpose not
4 previously identified.
5 (3) The consent principle requires "knowledge and
6 consent." Persons must make a reasonable effort to ensure
7 that the individual is advised of the purposes for which the
8 information will be used. To make the consent meaningful, the
9 purposes must be stated in such a manner that the individual
10 can reasonably understand how the information will be used or
11 disclosed.
12 (4) A person shall not, as a condition of the supply of
13 a product or service, require an individual to consent to the
14 collection, use or disclosure of information beyond that
15 required to fulfill explicitly specified and legitimate
16 purposes.
17 (5) The form of the consent sought by the person may
18 vary, depending upon the circumstances and the type of
19 information. In determining the form of consent to use,
20 persons shall take into account the sensitivity of the
21 information. Although some information, for example, medical
22 records and income records, is almost always considered to be
23 sensitive, any information can be sensitive, depending on the
24 context. For example, the names and addresses of subscribers
25 to a news magazine would generally not be considered
26 sensitive information. However, the names and addresses of
27 subscribers to some special-interest magazine might be
28 considered sensitive.
29 (6) In obtaining consent, the reasonable expectations of
30 the individual are also relevant. For example, an individual
20010H1822B2360 - 24 -
1 buying a subscription to a magazine should reasonably expect
2 that the organization, in addition to using the individual's
3 name and address for mailing and billing purposes, would also
4 contact the person to solicit the renewal of the
5 subscription. In this case, the organization can assume that
6 the individual's request constitutes consent for specific
7 purposes. On the other hand, an individual would not
8 reasonably expect that personal information given to a health
9 care professional would be given to a company selling health
10 care products unless consent were obtained. Consent shall not
11 be obtained through deception.
12 (7) The way in which a person seeks consent may vary
13 depending on the circumstances and the type of information
14 collected. A person should generally seek express consent
15 when the information is likely to be considered sensitive.
16 Implied consent would generally be appropriate when the
17 information is less sensitive. Consent can also be given by
18 an authorized representative such as a legal guardian or a
19 person having power of attorney.
20 (8) Individuals can give consent in many ways. The ways
21 include:
22 (i) An application form may be used to seek consent,
23 collect information and inform the individual of the use
24 that will be made of the information. By completing and
25 signing the form, the individual is giving consent to the
26 collection and the specified uses.
27 (ii) A checkoff box may be used to allow individuals
28 to request that their names and addresses not be given to
29 other persons. Individuals who do not check the box are
30 assumed to consent to the transfer of this information to
20010H1822B2360 - 25 -
1 third parties.
2 (iii) Consent may be given orally when information
3 is collected over the telephone.
4 (iv) Consent may be given at the time that
5 individuals use a product or service.
6 (9) An individual may withdraw consent at any time,
7 subject to legal or contractual restrictions and reasonable
8 notice. The organization shall inform the individual of the
9 implications of withdrawal of consent.
10 Section 904. Limiting collection.
11 The collection of personal information shall be limited to
12 that which is necessary for the purposes identified by the
13 person. Information shall be collected by fair and lawful means,
14 as follows:
15 (1) Organizations shall not collect personal information
16 indiscriminately. Both the amount and the type of information
17 collected shall be limited to that which is necessary to
18 fulfill the purposes identified. Organizations shall specify
19 the type of information collected as part of their
20 information-handling policies and practices in accordance
21 with the openness principle (section 908).
22 (2) The requirement that personal information be
23 collected by fair and lawful means is intended to prevent
24 organizations from collecting information by misleading or
25 deceiving individuals about the purpose for which information
26 is being collected. This requirement implies that consent
27 with respect to collection must not be obtained through
28 deception.
29 Section 905. Limiting use, disclosure and retention.
30 Personal information shall not be used or disclosed for
20010H1822B2360 - 26 -
1 purposes other than those for which it was collected, except
2 with the consent of the individual or as required by law.
3 Personal information shall be retained only as long as necessary
4 for the fulfillment of those purposes as follows:
5 (1) Persons using personal information for a new purpose
6 shall document this purpose.
7 (2) Persons should develop guidelines and implement
8 procedures with respect to the retention of personal
9 information. The guidelines should include minimum and
10 maximum retention periods. Personal information that has been
11 used to make a decision about an individual shall be retained
12 long enough to allow the individual access to the information
13 after the decision has been made. An organization may be
14 subject to legislative requirements with respect to retention
15 periods.
16 (3) Personal information that is no longer required to
17 fulfill the identified purposes should be destroyed, erased
18 or made anonymous. Organizations shall develop guidelines and
19 implement procedures to govern the destruction of personal
20 information.
21 Section 906. Accuracy.
22 Personal information shall be as accurate, complete and up-
23 to-date as is necessary for the purposes for which it is to be
24 used:
25 (1) The extent to which personal information shall be
26 accurate, complete and up-to-date will depend upon the use of
27 the information, taking into account the interests of the
28 individual. Information shall be sufficiently accurate,
29 complete and up-to-date to minimize the possibility that
30 inappropriate information may be used to make a decision
20010H1822B2360 - 27 -
1 about the individual.
2 (2) An organization shall not routinely update personal
3 information unless such a process is necessary to fulfill the
4 purposes for which the information was collected.
5 (3) Personal information that is used on an ongoing
6 basis, including information that is disclosed to third
7 parties, should generally be accurate and up-to-date, unless
8 limits to the requirement for accuracy are clearly set out.
9 Section 907. Safeguards.
10 Personal information shall be protected by security
11 safeguards appropriate to the sensitivity of the information:
12 (1) The security safeguards shall protect personal
13 information against loss or theft, as well as unauthorized
14 access, disclosure, copying, use or modification.
15 Organizations shall protect personal information regardless
16 of the format in which it is held.
17 (2) The nature of the safeguards will vary depending on
18 the sensitivity of the information that has been collected,
19 the amount, distribution and format of the information and
20 the method of storage. More sensitive information should be
21 safeguarded by a higher level of protection. The concept of
22 sensitivity is discussed in section 903(5).
23 (3) The methods of protection shall include:
24 (i) Physical measures, for example, locked filing
25 cabinets and restricted access to offices.
26 (ii) Organizational measures, for example, security
27 clearances and limiting access on a "need-to-know" basis.
28 (iii) Technological measures, for example, the use
29 of passwords and encryption.
30 (4) Organizations shall make their employees aware of
20010H1822B2360 - 28 -
1 the importance of maintaining the confidentiality of personal
2 information.
3 (5) Care shall be used in the disposal or destruction of
4 personal information to prevent unauthorized parties from
5 gaining access to the information under section 903(3).
6 Section 908. Openness.
7 An organization shall make readily available to individuals
8 specific information about its policies and practices relating
9 to the management of personal information:
10 (1) Organizations shall be open about their policies and
11 practices with respect to the management of personal
12 information. Individuals shall be able to acquire information
13 about an organization's policies and practices without
14 unreasonable effort. This information shall be made available
15 in a form that is generally understandable.
16 (2) The information made available shall include:
17 (i) The name or title and address of the person who
18 is accountable for the organization's policies and
19 practices and to whom complaints or inquiries can be
20 forwarded.
21 (ii) The means of gaining access to personal
22 information held by the organization.
23 (iii) A description of the type of personal
24 information held by the organization, including a general
25 account of its use.
26 (iv) A copy of any brochures or other information
27 that explains the organization's policies, standards or
28 codes.
29 (v) What personal information is made available to
30 related organizations.
20010H1822B2360 - 29 -
1 (3) A person may make information on its policies and
2 practices available in a variety of ways. The method chosen
3 depends on the nature of its business and other
4 considerations. For example, a person may choose to make
5 brochures available in its place of business, mail
6 information to its customers, provide online access or
7 establish a toll-free telephone number.
8 Section 909. Individual access.
9 Upon request, an individual shall be informed of the
10 existence, use and disclosure of his or her personal information
11 and shall be given access to that information. An individual
12 shall be able to challenge the accuracy and completeness of the
13 information and have it amended as appropriate:
14 (1) In certain situations, a person may not be able to
15 provide access to all the personal information it holds about
16 an individual. Exceptions to the access requirement shall be
17 limited and specific. The reasons for denying access should
18 be provided to the individual upon request. Exceptions may
19 include information that is prohibitively costly to provide,
20 information that contains references to other individuals,
21 information that cannot be disclosed for legal, security or
22 commercial proprietary reasons, and information that is
23 subject to attorney-client or litigation privilege.
24 (2) Upon request, a person shall inform an individual
25 whether the person holds personal information about the
26 individual. Persons are encouraged to indicate the source of
27 this information. The person shall allow the individual
28 access to this information. However, the person may choose to
29 make sensitive medical information available through a
30 medical practitioner. In addition, the person shall provide
20010H1822B2360 - 30 -
1 an account of the use that has been made or is being made of
2 this information and an account of the third parties to which
3 it has been disclosed.
4 (3) An individual may be required to provide sufficient
5 information to permit a person to provide an account of the
6 existence, use and disclosure of personal information. The
7 information provided shall be used only for this purpose.
8 (4) In providing an account of third parties to which it
9 has disclosed personal information about an individual, a
10 person should attempt to be as specific as possible. When it
11 is not possible to provide a list of the organizations to
12 which it has actually disclosed information about an
13 individual, the person shall provide a list of organizations
14 to which it may have disclosed information about the
15 individual.
16 (5) A person shall respond to an individual's request
17 within a reasonable time and at minimal or no cost to the
18 individual. The requested information shall be provided or
19 made available in a form that is generally understandable.
20 For example, if the person uses abbreviations or codes to
21 record information, an explanation shall be provided.
22 (6) When an individual successfully demonstrates the
23 inaccuracy or incompleteness of personal information, the
24 person shall amend the information as required. Depending
25 upon the nature of the information challenged, amendment
26 involves the correction, deletion or addition of information.
27 Where appropriate, the amended information shall be
28 transmitted to third parties having access to the information
29 in question.
30 (7) When a challenge is not resolved to the satisfaction
20010H1822B2360 - 31 -
1 of the individual, the substance of the unresolved challenge
2 shall be recorded by the person. When appropriate, the
3 existence of the unresolved challenge shall be transmitted to
4 third parties having access to the information in question.
5 Section 910. Challenging compliance.
6 An individual shall be able to address a challenge concerning
7 compliance with the principles of this chapter to the designated
8 individual or individuals accountable for an organization's
9 compliance:
10 (1) The individual accountable for an organization's
11 compliance is discussed in this chapter.
12 (2) Organizations shall put procedures in place to
13 receive and respond to complaints or inquiries about their
14 policies and practices relating to the handling of personal
15 information. The complaint procedures shall be easily
16 accessible and simple to use.
17 (3) Organizations shall inform individuals who make
18 inquiries or lodge complaints about the existence of relevant
19 complaint procedures. A range of these procedures may exist.
20 For example, some regulatory bodies accept complaints about
21 the personal-information handing practices of the companies
22 they regulate.
23 (4) A person shall investigate all complaints. If a
24 complaint is found to be justified, the person shall take
25 appropriate measures, including, if necessary, amending its
26 policies and practices.
27 CHAPTER 51
28 GENERAL PROVISIONS
29 Section 5101. Confidentiality.
30 (a) General rule.--Subject to subsections (b) through (e),
20010H1822B2360 - 32 -
1 sections 503(c) and 702(a), the Attorney General or any person
2 acting on behalf or under the direction of the Attorney General
3 shall not disclose any information that comes to his knowledge
4 as a result of the performance or exercise of any of the
5 Attorney General's duties or powers under this act.
6 (b) Public interest.--The Attorney General may make public
7 any information relating to the personal information management
8 practices of a person if the Attorney General determines that it
9 is in the public interest to do so.
10 (c) Disclosure of necessary information.--The Attorney
11 General may disclose or may authorize any person acting on
12 behalf or under the direction of the Attorney General to
13 disclose information that in the Attorney General's opinion is
14 necessary to conduct an investigation or audit under this act or
15 establish the grounds for findings and recommendations contained
16 in a report under this act.
17 (d) Disclosure in the course of proceedings.--The Attorney
18 General may disclose or may authorize any person acting on
19 behalf or under the direction of the Attorney General to
20 disclose information in the course of:
21 (1) a prosecution for an offense under section 5112;
22 (2) a prosecution for an offense under 18 Pa.C.S. Ch. 49
23 (relating to falsification and intimidation) with respect to
24 a statement made under this act;
25 (3) a hearing before a court under this act; or
26 (4) an appeal from a decision of a court.
27 (e) Disclosure in the course of offense authorized.--The
28 Attorney General may disclose to a law enforcement agency
29 information relating to the commission of an offense against any
30 law on the part of a person if, in the Attorney General's
20010H1822B2360 - 33 -
1 opinion, there is evidence of an offense.
2 Section 5102. Not competent witness.
3 The Attorney General or person acting on behalf or under the
4 direction of the Attorney General is not a competent witness
5 with respect to any matter that comes to their knowledge as a
6 result of the performance or exercise of any of the Attorney
7 General's duties or powers under this act in any proceeding
8 other than:
9 (1) a prosecution for an offense under section 5111;
10 (2) a prosecution for an offense under 18 Pa.C.S. Ch. 49
11 (relating to falsification and intimidation) with respect to
12 a statement made under this act;
13 (3) a hearing before a court under this act; or
14 (4) an appeal from a decision of a court.
15 Section 5103. Protection of Attorney General.
16 (a) Criminal or civil process.--No criminal or civil
17 proceedings lie against the Attorney General or against any
18 person acting on behalf or under the direction of the Attorney
19 General for anything done, reported or said in good faith as a
20 result of the performance or exercise or purported performance
21 or exercise of any duty or power of the Attorney General under
22 this act.
23 (b) Libel or slander.--For the purposes of any law relating
24 to libel or slander:
25 (1) anything said, any information supplied or any
26 record or thing produced in good faith in the course of an
27 investigation or audit carried out by or on behalf of the
28 Attorney General under this act is privileged; and
29 (2) any report made in good faith by the Attorney
30 General under this act and any fair and accurate account of
20010H1822B2360 - 34 -
1 the report made in good faith for the purpose of news
2 reporting is privileged.
3 Section 5104. Consultation with other states and Federal
4 Government.
5 If the Attorney General considers it appropriate to do so or
6 on the request of an interested person, the Attorney General
7 may, in order to ensure that personal information is protected
8 as consistently as possible, consult with other states and the
9 Federal Government and may enter into agreements:
10 (1) To coordinate the activities of their offices and to
11 provide for mechanisms for the handling of any complaint in
12 which they are mutually interested.
13 (2) To undertake and publish research related to the
14 protection of personal information.
15 (3) To develop model contracts for the protection of
16 personal information that is collected, used or disclosed
17 among states or internationally.
18 Section 5105. Promotion of purposes of act.
19 The Attorney General shall:
20 (1) Develop and conduct information programs to foster
21 public understanding and recognition of the purpose of this
22 act.
23 (2) Undertake and publish research that is related to
24 the protection of personal information.
25 (3) Encourage organizations to develop detailed policies
26 and practices, including organizational codes of practice, to
27 comply with sections 301 through 310.
28 (4) Promote, by any means that the Attorney General
29 considers appropriate, the purposes of this act.
30 Section 5106. Annual report.
20010H1822B2360 - 35 -
1 The Attorney General shall, as soon as practicable after the
2 end of each calendar year, submit to the General Assembly a
3 report concerning the application of this act, the extent to
4 which other states and Congress have enacted legislation that is
5 substantially similar to this act and the application of any
6 such legislation. Before preparing the report, the Attorney
7 General shall consult with those persons in the other states and
8 Congress who, in the Attorney General's opinion, are in a
9 position to assist the Attorney General in the reporting of
10 personal information that is collected, used or disclosed among
11 states or internationally.
12 Section 5107. Regulations.
13 The Attorney General may promulgate regulations:
14 (1) specifying by name or by class what is a government
15 institution or part of a government institution for the
16 purposes of any provision of this act;
17 (2) specifying by name or by class what is an
18 investigative body for the purposes of section 304(5);
19 (3) specifying information or classes of information for
20 the purpose of sections 302(4), 303(4) and 304(10); and
21 (4) for carrying out the purposes and provisions of this
22 act.
23 Section 5108. Whistleblowing.
24 (a) General rule.--An individual who has reasonable grounds
25 to believe that a person has violated or intends to violate a
26 provision of this act may notify the Attorney General of the
27 particulars of the matter.
28 (b) Confidentiality.--The Attorney General shall keep
29 confidential the identity of an individual who has notified the
30 Attorney General under subsection (a).
20010H1822B2360 - 36 -
1 (c) Prohibition.--No employer shall dismiss, suspend,
2 demote, discipline, harass or otherwise disadvantage an employee
3 or deny an employee a benefit of employment by reason that:
4 (1) the employee, acting in good faith and on the basis
5 of reasonable belief, disclosed to the Attorney General that
6 the employer or any other person violated or intended to
7 violate a provision of this act;
8 (2) the employee, acting in good faith and on the basis
9 of reasonable belief, refused or stated an intention of
10 refusing to do anything that is a violation of a provision of
11 this act;
12 (3) the employee, acting in good faith and on the basis
13 of reasonable belief, did or stated an intention to do
14 anything that is required to be done in order that a
15 provision of this act not be violated; or
16 (4) the employer believes that the employee will do
17 anything referred to in paragraph (1), (2) or (3).
18 (d) Saving.--Nothing in this section impairs the right of an
19 employee either at law or under an employment contract or
20 collective agreement.
21 (e) Definitions.--As used in this section, the following
22 words and phrases shall have the meanings given to them in this
23 subsection:
24 "Employee." The term includes an independent contractor.
25 "Employer." The term includes an independent contractor.
26 Section 5109. Review by Senate and House of Representatives
27 committees.
28 The administration of this act shall be reviewed by the
29 appropriate committees of the Senate and the House of
30 Representatives. The committees shall review the provisions and
20010H1822B2360 - 37 -
1 operation of this act and shall, within a year after the review
2 is undertaken, submit a report to the General Assembly that
3 includes any recommended changes to this act or its
4 administration.
5 Section 5110. Application.
6 (a) Personal health information.--This act does not apply to
7 any person with respect to personal health information that it
8 collects, uses or discloses.
9 (b) Expiration date.--Subsection (a) expires one year after
10 the effective date of this act.
11 Section 5111. Penalty.
12 A person who knowingly violates section 307(h) or 5108(c) or
13 who obstructs the Attorney General or the investigation of a
14 complaint or in conducting an audit commits a misdemeanor of the
15 first degree and, upon conviction, shall be sentenced to a fine
16 of not more than $10,000.
17 Section 5112. Repeals.
18 All acts and parts of acts are repealed insofar as they are
19 inconsistent with this act.
20 Section 5113. Effective date.
21 This act shall take effect in 90 days.
E5L01MRD/20010H1822B2360 - 38 -