PRINTER'S NO. 2055
No. 1669 Session of 2001
INTRODUCED BY DIVEN, MAYERNIK, READSHAW, MARKOSEK, BELFANTI, CALTAGIRONE, CAPPABIANCA, COLAFELLA, COSTA, CRUZ, CURRY, DALEY, DERMODY, D. EVANS, FRANKEL, GABIG, GRUCELA, HARHAI, HORSEY, JADLOWIEC, KELLER, KENNEY, LAUGHLIN, LEDERER, MAHER, MANN, MUNDY, PALLONE, PETRARCA, PISTELLA, PRESTON, ROHRER, SURRA, J. TAYLOR, THOMAS, TIGUE, TRELLO, WALKO, WANSACZ, WASHINGTON, J. WILLIAMS AND YOUNGBLOOD, MAY 29, 2001
REFERRED TO COMMITTEE ON STATE GOVERNMENT, MAY 29, 2001
AN ACT 1 Establishing requirements for the maintenance of personal 2 information in administrative systems of certain agencies of 3 the Commonwealth; and requiring the agencies to establish 4 Internet privacy policies. 5 The General Assembly of the Commonwealth of Pennsylvania 6 hereby enacts as follows: 7 Section 1. Short title. 8 This act shall be known and may be cited as the Commonwealth 9 Agency Internet Privacy Act. 10 Section 2. Definitions. 11 The following words and phrases when used in this act shall 12 have the meanings given to them in this section unless the 13 context clearly indicates otherwise: 14 "Commonwealth agency." The body, and all committees thereof 15 authorized by the body to take official action or render advice 16 on matters of agency business as those terms are defined in 65
1 Pa.C.S. § 703 (relating to definitions), of all the following: 2 the General Assembly, the executive branch of the government of 3 this Commonwealth, including the Governor's Cabinet when meeting 4 on official policymaking business, any board, council, authority 5 or commission of the Commonwealth or of any political 6 subdivision of the Commonwealth or any State, municipal, 7 township or school authority, school board, school governing 8 body, commission, the boards of trustees of all State-aided 9 colleges and universities, the councils of trustees of all 10 State-owned colleges and universities, the boards of trustees of 11 all State-related universities and all community colleges or 12 similar organizations created by or pursuant to a statute which 13 declares in substance that the organization performs or has for 14 its purpose the performance of an essential governmental 15 function and through the joint action of its members exercises 16 governmental authority and takes official action. 17 Section 3. Administration of systems containing personal 18 information. 19 A Commonwealth agency maintaining an information system that 20 includes personal information shall: 21 (1) Collect, maintain, use and disseminate only that 22 personal information permitted or required by law to be so 23 collected, maintained, used or disseminated or necessary to 24 accomplish a proper purpose of the agency. 25 (2) Collect information to the greatest extent feasible 26 from the data subject directly. 27 (3) Establish categories for maintaining personal 28 information to operate in conjunction with confidentiality 29 requirements and access controls. 30 (4) Maintain information in the system with accuracy, 20010H1669B2055 - 2 -
1 completeness, timeliness and pertinence as necessary to 2 assure fairness in determinations relating to a data subject. 3 (5) Make no dissemination to another system without: 4 (i) Specifying requirements for security and usage, 5 including limitations on access thereto. 6 (ii) Receiving reasonable assurances that those 7 requirements and limitations will be observed. 8 This paragraph shall not apply to a dissemination made by an 9 agency to an agency in another state, district or territory 10 of the United States where the personal information is 11 requested by the agency of such other state, district or 12 territory in connection with the application of the data 13 subject therein for a service, privilege or right under the 14 laws thereof nor shall this paragraph apply to information 15 transmitted to family advocacy representatives of the United 16 States Armed Forces in accordance with Federal law. 17 (6) Maintain a list of all people or organizations 18 having regular access to personal information in the 19 information system. 20 (7) Maintain for a period of three years or until such 21 time as the personal information is purged, whichever is 22 shorter, a complete and accurate record, including identity 23 and purpose, of every access to any personal information in a 24 system, including the identity of any person or organization 25 not having regular access authority but excluding access by 26 the personnel of the agency wherein data is put to service 27 for the purpose for which it is obtained. 28 (8) Take affirmative action to establish rules of 29 conduct and inform each person involved in the design, 30 development, operation or maintenance of the system or the 20010H1669B2055 - 3 -
1 collection or use of any personal information contained 2 therein, about all the requirements of this act, the rules 3 and procedures, including penalties for noncompliance, of the 4 agency designed to assure compliance with such requirements. 5 (9) Establish appropriate safeguards to secure the 6 system from any reasonably foreseeable threat to its 7 security. 8 (10) Collect no personal information concerning the 9 political or religious beliefs, affiliations and activities 10 of data subjects which is maintained, used or disseminated in 11 or by any information system operated by any agency unless 12 authorized explicitly by statute or ordinance. 13 Section 4. Internet privacy policy. 14 (a) Duties of Commonwealth agencies.-- 15 (1) On or before December 31, 2002, each Commonwealth 16 agency that has an Internet World Wide Web site associated 17 with that Commonwealth agency shall develop an Internet 18 privacy policy and an Internet privacy policy statement that 19 explains the policy to the public. The policy shall be 20 consistent with the requirements of this act. 21 (2) On or before December 31, 2002, the statement shall 22 be made available on the Commonwealth agency's World Wide Web 23 site in a conspicuous manner. The Secretary of 24 Administration, or his designee, shall provide guidelines for 25 developing the policy and the statement and each Commonwealth 26 agency shall tailor the policy and the statement to reflect 27 the information practices of the individual public body. 28 (b) Contents of policy.--At minimum, the policy and the 29 statement shall address: 30 (1) What information, including personally identifiable 20010H1669B2055 - 4 -
1 information, will be collected, if any. 2 (2) Whether any information will be automatically 3 collected simply by accessing the World Wide Web site and, if 4 so, what information. 5 (3) Whether the World Wide Web site automatically places 6 a computer file, commonly referred to as a "cookie," on the 7 Internet user's computer and, if so, for what purpose. 8 (4) How the collected information is being used or will 9 be used. 10 Section 5. Effective date. 11 This act shall take effect in 60 days or December 31, 2002, 12 whichever occurs first. D17L71DMS/20010H1669B2055 - 5 -