[House Report 110-755] [From the U.S. Government Publishing Office] 110th Congress Report HOUSE OF REPRESENTATIVES 2d Session 110-755 ====================================================================== DEPARTMENT OF HOMELAND SECURITY COMPONENT PRIVACY OFFICER ACT OF 2008 _______ July 10, 2008.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Thompson of Mississippi, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 5170] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 5170) to amend the Homeland Security Act of 2002 to provide for a privacy official within each component of the Department of Homeland Security, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 3 Background and Need for Legislation.............................. 3 Hearings......................................................... 3 Committee Consideration.......................................... 3 Committee Votes.................................................. 4 Committee Oversight Findings..................................... 4 New Budget Authority, Entitlement Authority, and Tax Expenditures 4 Congressional Budget Office Estimate............................. 4 Statement of General Performance Goals and Objectives............ 5 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 6 Federal Mandates Statement....................................... 6 Advisory Committee Statement..................................... 6 Constitutional Authority Statement............................... 6 Applicability to Legislative Branch.............................. 6 Section-by-Section Analysis of the Legislation................... 6 Changes in Existing Law Made by the Bill, as Reported............ 7 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Department of Homeland Security Component Privacy Officer Act of 2008''. SEC. 2. ESTABLISHMENT OF PRIVACY OFFICIAL WITHIN EACH COMPONENT OF DEPARTMENT OF HOMELAND SECURITY. (a) In General.--Subtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by inserting after section 222 the following new section: ``SEC. 222A. PRIVACY OFFICIALS. ``(a) Designation.-- ``(1) In general.--For each component of the Department under paragraph (2), the Secretary shall, in consultation with the head of the component, designate a full-time privacy official, who shall report directly to the senior official appointed under section 222. Each such component privacy official shall have primary responsibility for its component in implementing the privacy policy for the Department established by the senior official appointed under section 222. ``(2) Components.--The components of the Department referred to in this subparagraph are as follows: ``(A) The Transportation Security Administration. ``(B) The Bureau of Citizenship and Immigration Services. ``(C) Customs and Border Protection. ``(D) Immigration and Customs Enforcement. ``(E) The Federal Emergency Management Agency. ``(F) The Coast Guard. ``(G) The Directorate of Science and Technology. ``(H) The Office of Intelligence and Analysis. ``(I) The Directorate for National Protection and Programs. ``(b) Responsibilities.--Each privacy official designated under subsection (a) shall report directly to both the head of the official's component and the senior official appointed under section 222, and shall have the following responsibilities with respect to the component: ``(1) Serve as such senior official's main point of contact at the component to implement the polices and directives of such senior official in carrying out section 222. ``(2) Advise the head of that component on privacy considerations when any law, regulation, program, policy, procedure, or guideline is proposed, developed, or implemented. ``(3) Assure that the use of technologies by the component sustain or enhance privacy protections relating to the use, collection, and disclosure of personal information within the component. ``(4) Identify privacy issues related to component programs and apply appropriate privacy policies in accordance with Federal privacy law and Departmental policies developed to ensure that the component protects the privacy of individuals affected by its activities. ``(5) Monitor the component's compliance with all applicable Federal privacy laws and regulations, implement corrective, remedial, and preventive actions and notify the senior official appointed under section 222 of privacy issues or non- compliance, whenever necessary. ``(6) Ensure that personal information contained in Privacy Act systems of records is handled in full compliance with section 552a of title 5, United States Code. ``(7) Assist in drafting and reviewing privacy impact assessments, privacy threshold assessments, and system of records notices, in conjunction with and under the direction of the senior official appointed under section 222, for any new or substantially changed program or technology that collects, maintains, or disseminates personally identifiable information within the official's component. ``(8) Assist in drafting and reviewing privacy impact assessments, privacy threshold assessments, and system of records notices in conjunction with and under the direction of the senior official appointed under section 222, for proposed rulemakings and regulations within the component. ``(9) Conduct supervision of programs, regulations, policies, procedures, or guidelines to ensure the component's protection of privacy and, as necessary, promulgate guidelines and conduct oversight to ensure the protection of privacy. ``(10) Implement and monitor privacy training for component employees and contractors in coordination with the senior official appointed under section 222. ``(11) Provide the senior official appointed under section 222 with written materials and information regarding the relevant activities of the component, including privacy violations and abuse, that are needed by the senior official to successfully prepare the reports the senior official submits to Congress and prepares on behalf of the Department. ``(12) Any other responsibilities assigned by the Secretary or the senior official appointed under section 222. ``(c) Role of Component Heads.--The head of a component identified in subsection (a)(2) shall ensure that the privacy official designated under subsection (a) for that component-- ``(1) has the information, material, and resources necessary to fulfill the responsibilities of such official under this section; ``(2) is advised of proposed policy changes and the development of new programs, rules, regulations, procedures, or guidelines during the planning stage and is included in the decision-making process; and ``(3) is given access to material and personnel the privacy official deems necessary to carry out the official's responsibilities. ``(d) Limitation.--Nothing in this section shall be considered to abrogate the role and responsibilities of the senior official appointed under section 222.''. (b) Clerical Amendment.--The table of contents in section 1(b) of such Act is amended by inserting after the item related to section 222 the following new item: ``Sec. 222A. Privacy officials.''. Purpose and Summary The purpose of H.R. 5170 is to amend the Homeland Security Act of 2002 to provide for a privacy official within each component of the Department of Homeland Security, and for other purposes. Background and Need for Legislation Under the current structure, the Chief Privacy Officer works closely with other departmental components, such as the General Counsel's Office, the Policy Office and the Office for Civil Rights and Civil Liberties in addressing privacy issues; however, many of the Department Components operate without an on-site full time privacy professional. Additionally, components with a designated privacy officer have generally produced more Privacy Impact Assessments (PIAs) than components without privacy officers. In fact, of the eleven DHS components that have published PIAs, only three have designated privacy officers. Yet these three components account for 57 percent of all published DHS PIAs. Moreover, according to the DHS Office of Privacy 2007 Annual Report to Congress ``establishing and increasing the number of well-trained privacy officers at the component level helps to ensure that privacy is built into new and existing programs at the beginning of the development process.'' Additionally, the presence of a full-time Component Privacy Officer would ensure that privacy considerations are integrated into the decision- making process at all of the DHS Components. Hearings No hearings were held on H.R. 5170. Committee Consideration H.R. 5170 was introduced in the House on January 29, 2008, by Mr. Carney and Mr. Thompson of Mississippi and referred solely to the Committee on Homeland Security. Within the Committee H.R. 5170 was referred to the Subcommittee on Management, Investigations, and Oversight. On June 26, 2008, the Chairman discharged the Subcommittee on Management, Investigations, and Oversight from further consideration of H.R. 5170. The Committee then proceeded to the consideration of H.R. 5170 and ordered the measure to be reported to the House favorably, as amended, by voice vote. The Committee adopted the measure, as amended, by unanimous consent. The following amendment was offered: An Amendment in the Nature of a Substitute offered by Mr. Carney (#1); was AGREED TO by unanimous consent. Committee Votes Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during Committee consideration. Committee Oversight Findings Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 5170, the Department of Homeland Security Component Privacy Officer Act of 2008, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, July 8, 2008. Hon. Bennie G. Thompson, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 5170, the Department of Homeland Security Component Privacy Officer Act of 2008. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Robert A. Sunshine (For Peter R. Orszag, Director). Enclosure. H.R. 5170--Department of Homeland Security Component Privacy Officer Act of 2008 CBO estimates that implementing H.R. 5170 would cost about $1 million annually, assuming the availability of appropriated funds. Enacting the bill would not affect direct spending or revenues. H.R. 5170 contains no intergovernmental or private- sector mandates as defined in the Unfunded Mandates Reform Act and would impose no costs on state, local, or tribal governments. H.R. 5170 would direct the Department of Homeland Security (DHS) to designate full-time officials to oversee privacy considerations and policies for each of the department's nine components, including the Federal Emergency Management Agency, the Coast Guard, and the other agencies specified in the bill. Those individuals would coordinate all privacy matters for their respective agencies, including training and compliance, and would report to the Chief Privacy Officer of DHS. According to DHS, four of the nine department components already have full-time privacy officials, so implementing H.R. 5170 would require filling five positions. We expect that each new official would be compensated at level 14 or 15 of the General Schedule. CBO estimates that the costs for those positions would total about $1 million annually, including salaries and benefits for those officials and for the costs of any support staff. The CBO staff contact for this estimate is Mark Grabowicz. This estimate was approved by Peter H. Fontaine, Assistant Director for Budget Analysis. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, H.R. 5170 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. The purpose of this legislation is to create Component Privacy Officers in the Department of Homeland Security component agencies. Unfortunately, public trust in the Department's ability to protect personal privacy rights is abysmally low. This bill should aid in improving the manner in which the Department handles privacy related issues and should also foster the Department's mandate to sustain privacy protections. In turn, public trust with respect to the Department should improve. H.R. 5170 adds a new section 222A to the Homeland Security Act of 2002 (6 U.S.C. 361 et seq.), which requires the Secretary of Homeland Security, in consultation with the Component Head, to create Component Privacy Officers at the following Department of Homeland Security components: The Transportation Security Administration; The Bureau of Citizenship and Immigration Services; Customs and Border Protection; Immigration and Customs Enforcement; The Federal Emergency Management Agency; The Coast Guard; The Directorate of Science and Technology; The Office of Intelligence and Analysis; and The Directorate for National Protection and Programs. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(d), 9(e), or 9(f) of the rule XXI. Federal Mandates Statement The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Constitutional Authority Statement Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee finds that the Constitutional authority for this legislation is provided in Article I, section 8, clause 1, which grants Congress the power to provide for the common Defense of the United States. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short title This section designates the short title as the ``Department of Homeland Security Component Privacy Act of 2008.'' Section 2. Establishment of privacy official within each component of Department of Homeland Security The Homeland Security Act of 2002 (P. L. 107-296) is amended by inserting after Section 222, which creates the ``senior official'' at the Department that is responsible for privacy policy, a new section 222A, which will govern the component privacy officers. Section 222A. Privacy officials This section indicates that the Secretary, in consultation with the head of each Component, shall designate a full-time privacy official in certain components of the Department of Homeland Security. This section states that the components referred to in the bill are: The Transportation Security Administration; the Bureau of Citizenship and Immigration Services; Customs and Border Protection; Immigration and Customs Enforcement; the Federal Emergency Management Agency; the Coast Guard; the Directorate of Science and Technology; the Office of Intelligence and Analysis; and the Directorate for National Protection and Programs. Responsibilities. This section states that the Component Privacy Officers shall have primary responsibility for implementing the Department's privacy policy in the Component Privacy Officer's component agency. Additionally, it indicates that the Component Privacy Officers shall report directly to the senior official appointed under section 222, hereinafter referred to for clarification purposes as the ``DHS Chief Privacy Officer.'' This section also states that in addition to the directly reporting to the DHS Chief Privacy Officer, each Component Privacy Officer shall also report directly to the head of that officer's component. This section also lists the responsibilities of the Component Privacy Officers and describes in detail the manner in which they will monitor and exercise oversight over privacy matters within their respective components. This section also indicates that in addition to the responsibilities enumerated in the bill, the Component Privacy Officers shall also execute any other responsibilities assigned by the Secretary or the DHS Chief Privacy Officer. This section states that the head of the components shall assist the Component Privacy Officers in carrying out their duties by ensuring that the officers have the information, material, and resources necessary to fulfill their responsibilities. This section also provides that the head of the components shall make certain that the Component Privacy Officers are advised of proposed policy changes and the development of new programs, rules, regulations, procedures, or guidelines during the planning stage. This section also states that the Component Privacy Officers shall be included in the component's decision-making process and be given access to the necessary material and personnel to carry out the responsibilities set forth in the bill. This section states that it is not the intention of this bill to abrogate the current role and responsibilities of the DHS Privacy Officer. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (new matter is printed in italic and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) * * * (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle C--Information Security * * * * * * * Sec. 222A. Privacy officials. * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle C--Information Security * * * * * * * SEC. 222A. PRIVACY OFFICIALS. (a) Designation.-- (1) In general.--For each component of the Department under paragraph (2), the Secretary shall, in consultation with the head of the component, designate a full-time privacy official, who shall report directly to the senior official appointed under section 222. Each such component privacy official shall have primary responsibility for its component in implementing the privacy policy for the Department established by the senior official appointed under section 222. (2) Components.--The components of the Department referred to in this subparagraph are as follows: (A) The Transportation Security Administration. (B) The Bureau of Citizenship and Immigration Services. (C) Customs and Border Protection. (D) Immigration and Customs Enforcement. (E) The Federal Emergency Management Agency. (F) The Coast Guard. (G) The Directorate of Science and Technology. (H) The Office of Intelligence and Analysis. (I) The Directorate for National Protection and Programs. (b) Responsibilities.--Each privacy official designated under subsection (a) shall report directly to both the head of the official's component and the senior official appointed under section 222, and shall have the following responsibilities with respect to the component: (1) Serve as such senior official's main point of contact at the component to implement the polices and directives of such senior official in carrying out section 222. (2) Advise the head of that component on privacy considerations when any law, regulation, program, policy, procedure, or guideline is proposed, developed, or implemented. (3) Assure that the use of technologies by the component sustain or enhance privacy protections relating to the use, collection, and disclosure of personal information within the component. (4) Identify privacy issues related to component programs and apply appropriate privacy policies in accordance with Federal privacy law and Departmental policies developed to ensure that the component protects the privacy of individuals affected by its activities. (5) Monitor the component's compliance with all applicable Federal privacy laws and regulations, implement corrective, remedial, and preventive actions and notify the senior official appointed under section 222 of privacy issues or non-compliance, whenever necessary. (6) Ensure that personal information contained in Privacy Act systems of records is handled in full compliance with section 552a of title 5, United States Code. (7) Assist in drafting and reviewing privacy impact assessments, privacy threshold assessments, and system of records notices, in conjunction with and under the direction of the senior official appointed under section 222, for any new or substantially changed program or technology that collects, maintains, or disseminates personally identifiable information within the official's component. (8) Assist in drafting and reviewing privacy impact assessments, privacy threshold assessments, and system of records notices in conjunction with and under the direction of the senior official appointed under section 222, for proposed rulemakings and regulations within the component. (9) Conduct supervision of programs, regulations, policies, procedures, or guidelines to ensure the component's protection of privacy and, as necessary, promulgate guidelines and conduct oversight to ensure the protection of privacy. (10) Implement and monitor privacy training for component employees and contractors in coordination with the senior official appointed under section 222. (11) Provide the senior official appointed under section 222 with written materials and information regarding the relevant activities of the component, including privacy violations and abuse, that are needed by the senior official to successfully prepare the reports the senior official submits to Congress and prepares on behalf of the Department. (12) Any other responsibilities assigned by the Secretary or the senior official appointed under section 222. (c) Role of Component Heads.--The head of a component identified in subsection (a)(2) shall ensure that the privacy official designated under subsection (a) for that component-- (1) has the information, material, and resources necessary to fulfill the responsibilities of such official under this section; (2) is advised of proposed policy changes and the development of new programs, rules, regulations, procedures, or guidelines during the planning stage and is included in the decision-making process; and (3) is given access to material and personnel the privacy official deems necessary to carry out the official's responsibilities. (d) Limitation.--Nothing in this section shall be considered to abrogate the role and responsibilities of the senior official appointed under section 222. * * * * * * *