administrative agencies and privacy impact statements

A new House bill (pdf) introduced and passed by voice vote on Monday, might make federal agencies more sensitive to privacy concerns. The Federal Agency Protection of Privacy Act requires that agencies perform two different assessments of the impact on privacy of proposed rules.

The first would be published as an initial impact statement:

Whenever an agency is required by section 553 of this title [Title 5, United States Code], or any other law, to publish a general notice of proposed rulemaking for any proposed rule, or publishes a notice of proposed rulemaking for an interpretative rule involving the internal revenue laws of the United States, the agency shall prepare and make available for public comment an initial privacy impact analysis. Such analysis shall describe the impact of the proposed rule on the privacy of individuals. The initial privacy impact analysis or a summary shall be signed by the senior agency official with primary responsibility for privacy policy and be published in the Federal Register at the time of the publication of a general notice of proposed rulemaking for the rule.

This initial statement should contain the following:

(A) A description and assessment of the extent to which the proposed rule will impact the privacy interests of individuals, including the extent to which the proposed rule

• (i) provides notice of the collection of personally identifiable information, and specifies what personally identifiable information is to be collected and how it is to be collected, maintained, used, and disclosed;
• (ii) allows access to such information by the person to whom the personally identifiable information pertains and provides an opportunity to correct inaccuracies;
• (iii) prevents such information, which is collected for one purpose, from being used for another purpose; and
• (iv) provides security for such information.

(B) A description of any significant alternatives to the proposed rule which accomplish the stated objectives of applicable statutes and which minimize any significant privacy impact of the proposed rule on individuals.

The bill also calls for a final privacy impact analysis:

Whenever an agency promulgates a final rule under section 553 of this title [Title 5, United States Code], after being required by that section or any other law to publish a general notice of proposed rulemaking, or promulgates a final interpretative rule involving the internal revenue laws of the United States, the agency shall prepare a final privacy impact analysis, signed by the senior agency official with primary responsibility for privacy policy.

Like the initial privacy anaylsis statement, a list of contents was also defined by the bill for the final statement, which should contain:

(A) A description and assessment of the extent to which the final rule will impact the privacy interests of individuals, including the extent to which the proposed rule

• (i) provides notice of the collection of personally identifiable information, and specifies what personally identifiable information is to be collected and how it is to be collected, maintained, used, and disclosed;
• (ii) allows access to such information by the person to whom the personally identifiable information pertains and provides an opportunity to correct inaccuracies;
• (iii) prevents such information, which is collected for one purpose, from being used for another purpose; and
• (iv) provides security for such information.

(B) A summary of the significant issues raised by the public comments in response to the initial privacy impact analysis, a summary of the assessment of the agency of such issues, and a statement of any changes made in the proposed rule as a result of such issues.

(C) A description of the steps the agency has taken to minimize the significant privacy impact on individuals consistent with the stated objectives of applicable statutes, including a statement of the factual, policy, and legal reasons for selecting the alternative adopted in the final rule and why each one of the other significant alternatives to the rule considered by the agency which affect the privacy interests of individuals was rejected.

This seems like a really good idea on paper. There's speculation that the Senate will follow suit, and introduce a version of this bill "at the end of the congressional session when other non-controversial bills are considered." I can't want to see the first initial impact statement on a regulation that does affect privacy.