PRINTER'S NO. 2055
No. 1669 Session of 2001
INTRODUCED BY DIVEN, MAYERNIK, READSHAW, MARKOSEK, BELFANTI,
CALTAGIRONE, CAPPABIANCA, COLAFELLA, COSTA, CRUZ, CURRY,
DALEY, DERMODY, D. EVANS, FRANKEL, GABIG, GRUCELA, HARHAI,
HORSEY, JADLOWIEC, KELLER, KENNEY, LAUGHLIN, LEDERER, MAHER,
MANN, MUNDY, PALLONE, PETRARCA, PISTELLA, PRESTON, ROHRER,
SURRA, J. TAYLOR, THOMAS, TIGUE, TRELLO, WALKO, WANSACZ,
WASHINGTON, J. WILLIAMS AND YOUNGBLOOD, MAY 29, 2001
REFERRED TO COMMITTEE ON STATE GOVERNMENT, MAY 29, 2001
AN ACT
1 Establishing requirements for the maintenance of personal
2 information in administrative systems of certain agencies of
3 the Commonwealth; and requiring the agencies to establish
4 Internet privacy policies.
5 The General Assembly of the Commonwealth of Pennsylvania
6 hereby enacts as follows:
7 Section 1. Short title.
8 This act shall be known and may be cited as the Commonwealth
9 Agency Internet Privacy Act.
10 Section 2. Definitions.
11 The following words and phrases when used in this act shall
12 have the meanings given to them in this section unless the
13 context clearly indicates otherwise:
14 "Commonwealth agency." The body, and all committees thereof
15 authorized by the body to take official action or render advice
16 on matters of agency business as those terms are defined in 65
1 Pa.C.S. § 703 (relating to definitions), of all the following:
2 the General Assembly, the executive branch of the government of
3 this Commonwealth, including the Governor's Cabinet when meeting
4 on official policymaking business, any board, council, authority
5 or commission of the Commonwealth or of any political
6 subdivision of the Commonwealth or any State, municipal,
7 township or school authority, school board, school governing
8 body, commission, the boards of trustees of all State-aided
9 colleges and universities, the councils of trustees of all
10 State-owned colleges and universities, the boards of trustees of
11 all State-related universities and all community colleges or
12 similar organizations created by or pursuant to a statute which
13 declares in substance that the organization performs or has for
14 its purpose the performance of an essential governmental
15 function and through the joint action of its members exercises
16 governmental authority and takes official action.
17 Section 3. Administration of systems containing personal
18 information.
19 A Commonwealth agency maintaining an information system that
20 includes personal information shall:
21 (1) Collect, maintain, use and disseminate only that
22 personal information permitted or required by law to be so
23 collected, maintained, used or disseminated or necessary to
24 accomplish a proper purpose of the agency.
25 (2) Collect information to the greatest extent feasible
26 from the data subject directly.
27 (3) Establish categories for maintaining personal
28 information to operate in conjunction with confidentiality
29 requirements and access controls.
30 (4) Maintain information in the system with accuracy,
20010H1669B2055 - 2 -
1 completeness, timeliness and pertinence as necessary to
2 assure fairness in determinations relating to a data subject.
3 (5) Make no dissemination to another system without:
4 (i) Specifying requirements for security and usage,
5 including limitations on access thereto.
6 (ii) Receiving reasonable assurances that those
7 requirements and limitations will be observed.
8 This paragraph shall not apply to a dissemination made by an
9 agency to an agency in another state, district or territory
10 of the United States where the personal information is
11 requested by the agency of such other state, district or
12 territory in connection with the application of the data
13 subject therein for a service, privilege or right under the
14 laws thereof nor shall this paragraph apply to information
15 transmitted to family advocacy representatives of the United
16 States Armed Forces in accordance with Federal law.
17 (6) Maintain a list of all people or organizations
18 having regular access to personal information in the
19 information system.
20 (7) Maintain for a period of three years or until such
21 time as the personal information is purged, whichever is
22 shorter, a complete and accurate record, including identity
23 and purpose, of every access to any personal information in a
24 system, including the identity of any person or organization
25 not having regular access authority but excluding access by
26 the personnel of the agency wherein data is put to service
27 for the purpose for which it is obtained.
28 (8) Take affirmative action to establish rules of
29 conduct and inform each person involved in the design,
30 development, operation or maintenance of the system or the
20010H1669B2055 - 3 -
1 collection or use of any personal information contained
2 therein, about all the requirements of this act, the rules
3 and procedures, including penalties for noncompliance, of the
4 agency designed to assure compliance with such requirements.
5 (9) Establish appropriate safeguards to secure the
6 system from any reasonably foreseeable threat to its
7 security.
8 (10) Collect no personal information concerning the
9 political or religious beliefs, affiliations and activities
10 of data subjects which is maintained, used or disseminated in
11 or by any information system operated by any agency unless
12 authorized explicitly by statute or ordinance.
13 Section 4. Internet privacy policy.
14 (a) Duties of Commonwealth agencies.--
15 (1) On or before December 31, 2002, each Commonwealth
16 agency that has an Internet World Wide Web site associated
17 with that Commonwealth agency shall develop an Internet
18 privacy policy and an Internet privacy policy statement that
19 explains the policy to the public. The policy shall be
20 consistent with the requirements of this act.
21 (2) On or before December 31, 2002, the statement shall
22 be made available on the Commonwealth agency's World Wide Web
23 site in a conspicuous manner. The Secretary of
24 Administration, or his designee, shall provide guidelines for
25 developing the policy and the statement and each Commonwealth
26 agency shall tailor the policy and the statement to reflect
27 the information practices of the individual public body.
28 (b) Contents of policy.--At minimum, the policy and the
29 statement shall address:
30 (1) What information, including personally identifiable
20010H1669B2055 - 4 -
1 information, will be collected, if any.
2 (2) Whether any information will be automatically
3 collected simply by accessing the World Wide Web site and, if
4 so, what information.
5 (3) Whether the World Wide Web site automatically places
6 a computer file, commonly referred to as a "cookie," on the
7 Internet user's computer and, if so, for what purpose.
8 (4) How the collected information is being used or will
9 be used.
10 Section 5. Effective date.
11 This act shall take effect in 60 days or December 31, 2002,
12 whichever occurs first.
D17L71DMS/20010H1669B2055 - 5 -