Laws Governing Federal Privacy Programs

Americans with Disabilities Act of 1990 (ADA) & Rehabilitation Act of 1973 (Rehab Act)

Americans with Disabilities Act

42 U.S.C. §§ 12101 et. seq.
42 U.S.C. § 12112(D) DISCRIMINATION

Rehabilitation Act

9 U.S.C. §§ 701 et. seq. (Chapter 16 Vocational Rehabilitation and Other Rehabilitation Services)

Overview

The ADA prohibits discrimination and guarantees that people with disabilities have the same opportunities as everyone else to participate in the mainstream of American life — to enjoy employment opportunities, to purchase goods and services, and to participate in State and local government programs and services. Modeled after the Civil Rights Act of 1964, which prohibits discrimination on the basis of race, color, religion, sex, or national origin – and Section 504 of the Rehabilitation Act of 1973 — the ADA is an “equal opportunity” law for people with disabilities.

The ADA, at 42 U.S.C. § 12112(d), generally prohibits medical examinations and inquiries of job applicants unless the inquiry is about the ability of the applicant to perform job related functions. The ADA does authorize medical examinations and inquiries by employers with regard to an employee’s request for reasonable accommodation for a disability. In both instances, there are confidentiality requirements that attach to the records and information gathered.

The Rehabilitation Act of 1973 (also known as the “Rehab Act”) prohibits discrimination on the basis of disability in programs run by federal agencies; programs that receive federal financial assistance; in federal employment; and in the employment practices of federal contractors. The standards for deciding if employment discrimination exists under the Rehab Act are the same as those used in Title I of the ADA.

The Rehab Act, at 29 C.F.R. § 791(f) and §793(d), provides that these sections of the ADA apply equally to those entities subject to the Rehab Act.

The Americans with Disabilities Act Amendments Act of 2008 (Public Law 110-325) (ADAAA) further amended the definition of “individual with a disability” and amended sections 12101, 12102, 12111 to 12114, 12201 and 12210 of the ADA and section 705 of the Rehab Act. The ADAAA also enacted sections 12103 and 12205a and re-designated sections 12206 to 12213.

Helpful Tips

The ADA, at 42 U.S.C. § 12112(d), generally prohibits medical examinations and inquiries of job applicants unless the inquiry is about the ability of the applicant to perform job related functions. The ADA does authorize medical examinations and inquiries by employers with regard to an employee’s request for reasonable accommodation for a disability. In both instances, there are confidentiality requirements that attach to the records and information gathered.

The Equal Employment Opportunity Commission (EEOC) issues government-wide regulations for implementing the ADA at 29 C.F.R. Part 1630. Except as otherwise provided in this part, this part does not apply a lesser standard than the standards applied under title V of the Rehabilitation Act of 1973 (29 U.S.C. §§ 790-794a, as amended), or the regulations issued by Federal agencies pursuant to that title. [29 C.F.R. § 1630.1(c)]

Regulations

29 C.F.R. Part 1630

Executive Orders, Memoranda, and Directives

Executive Order No. 13164 – Requiring Federal Agencies to Establish Procedures to Facilitate the Provision of Reasonable Accommodation

Supplemental Material

Equal Employment Opportunity Commission

Aviation and Transportation Security Act of 2001

49 U.S.C. § 114 Transportation Security Administration

49 U.S.C. § 44909 PASSENGER MANIFESTS

SEE ALSO: PUB. LAW 107-71

Overview

President Bush signed the Aviation and Transportation Security Act into law in November 2001, requiring screening conducted by federal officials, 100 percent checked baggage screening, expansion of the Federal Air Marshal Service and reinforced cockpit doors. The Transportation Security Administration (TSA) was created to oversee security in all modes of transportation.

Regulations

19 C.F.R. Part 122, Subpart E

49 C.F.R. § 1540.107

49 C.F.R. Part 1560

Executive Orders, Memoranda, and Directives

Directive on Integration and Use of Screening Information To Protect Against Terrorism, HSPD-6 (Sept. 16, 2003)

Supplemental Material

U.S. Department of Homeland Security
Transportation Security Administration

Travel Resources Page

Passenger Name Record Privacy Policy

Bank Secrecy Act (BSA)

31 U.S.C. § 310

Overview

The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the “Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the Act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an anti-money laundering” law (“AML”) or jointly as “BSA/AML.” Several AML Acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311-5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] )

Sec. 31 U.S.C. § 310 (c)(2) requires the US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) to provide appropriate standards and guidelines for determining who is to be given access to the information maintained by FinCEN; what limits are to be imposed on the use of such information; and how information about activities or relationships which involve or are closely associated with the exercise of constitutional rights is to be screened out of the data maintenance system.

When investigating potential money laundering or Bank Secrecy Act (BSA) violations, the key test (related statute test) is whether, under the facts and circumstances of the particular case, the money laundering and BSA provisions are considered related to the administration of the Internal Revenue laws.

Source: FinCEN’s Mandate from Congress

Helpful Tips

Sec. 31 U.S.C. § 310 (c)(2) Requirements Relating to Maintenance and Use of Data Banks

Regulations

31 C.F.R. Chapter X-Financial Crimes Enforcement Network, Department of the Treasury

Statutory Implementation Guidance

US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN)

Advisory, Maintaining the Confidentiality of Suspicious Activity Reports

Supplemental Material

US Department of the Treasury

Financial Crimes Enforcement Network (FinCEN)

Consolidated Appropriations Act of 2005

Public Law No. 108-447 (see division H, title V, section 522)

Public Law No. 108-447

Overview

The Consolidated Appropriations Act of 2005 (the “Act”) requires that each agency, subject to the Act:

shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy. (Sec. 522(a))
shall establish and implement comprehensive privacy and data protection procedures governing the agency’s collection, use, sharing, disclosure, transfer, storage and security of information in an identifiable form relating to the agency employees and the public. (Sec. 522(b))
shall prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency. (Sec. 552(c))
[a]t least every 2 years . . . shall have performed an independent, third party review of the use of information in identifiable form as the privacy and data protection procedures of the agency. (Sec. 522(d))
[u]pon completion of a review, the Inspector General of an agency shall submit to the head of that agency a detailed report on the review. (Sec. 522(e))

Cybersecurity Information Sharing Act of 2015 (CISA)

6 U.S.C. §§ 149, 151, 1501-1510, 1521-1525, 1531-1533

Overview

On December 18, 2015, the President signed the Cybersecurity Act of 2015 (CISA) into law. Congress enacted CISA, Title I of the Cybersecurity Act, to direct the Department of Homeland Security (DHS)—in collaboration with other named agencies—to create a voluntary cybersecurity information sharing process that will protect participants from certain types of liability and encourage public and private entities to share cyber threat information in real-time while protecting the privacy and civil liberties of individuals.

Source: Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015"

Executive Orders, Memoranda, and Directives

Promoting Private Sector Cybersecurity Information Sharing, Exec. Order No. 13691, (80 FR 9349, Feb. 13, 2015)

Improving Critical Infrastructure Cybersecurity, Exec. Order No. 13636 ( 78 FR 11737, February 12, 2013)

Critical Infrastructure Security and Resilience, Presidential Policy Directive/PPD-21 (Feb. 2013)

United States Cyber Incident Coordination, Presidential Policy Directive/PPD–41 (July 2016)

Supplemental Material

U.S. Department of Homeland Security

Federal Policy for the Protection of Human Subjects (Common Rule)

42 U.S.C. § 289

Overview

On July 12, 1974, the National Research Act (Pub. L. 93-348) was signed into law, thereby creating the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (the “Commission”). The current U.S. system of protection for human research subjects is heavily influenced by the Belmont Report, written in 1979 by the Commission.

In 1985, Congress enacted 42 U.S.C. § 289, providing that “The Secretary of the U.S. Department of Health and Human Services (HHS) shall by regulation require that each entity which applies for a grant, contract, or cooperative agreement under this chapter for any project or program which involves the conduct of biomedical or behavioral research involving human subjects submit in or with its application for such grant, contract, or cooperative agreement assurances satisfactory to the Secretary that it has established (in accordance with regulations which the Secretary shall prescribe) a board (to be known as an ‘Institutional Review Board’) to review biomedical and behavioral research involving human subjects conducted at or supported by such entity in order to protect the rights of the human subjects of such research.”

The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 and codified in separate regulations by 15 Federal departments and agencies. The HHS regulations, 45 CFR part 46, include four subparts: subpart A, also known as the Federal Policy or the “Common Rule”; subpart B, additional protections for pregnant women, human fetuses, and neonates; subpart C, additional protections for prisoners; and subpart D, additional protections for children. A fifth subpart, subpart E, which concerns registration of Institutional Review Boards (IRBs) was added in 2009. For all participating departments and agencies, the Common Rule outlines the basic provisions for IRBs, informed consent, and Assurances of Compliance. Human subject research conducted or supported by each Federal department/agency is governed by the regulations of that department/agency. The head of that department/agency retains final judgment as to whether a particular activity it conducts or supports is covered by the Common Rule. If an institution seeks guidance on implementation of the Common Rule and other applicable Federal regulations, the institution should contact the department/agency conducting or supporting the research.

The HHS and fifteen other Federal departments and agencies have issued final revisions to the Federal Policy for the Protection of Human Subjects (the Common Rule). The Final Rule was published in the Federal Register on January 19, 2017. It implements new steps to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators.

Sources:
The Belmont Report
Federal Policy for the Protection of Human Subjects (‘Common Rule’)
HHS Historical Highlights
Final Revisions to the Common Rule

Helpful Tips

The following terms in the Common Rule outline the regulation’s applicability to privacy:

Section 102(f) of 45 CFR 46 defines “human subject” as “a living individual about whom an investigator (whether professional or student) conducting research obtains:

(1) Data through intervention or interaction with the individual, or
(2) Identifiable private information.”

Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.

Regulations

U.S. Department of Health and Human Services

45 C.F.R. Part 46
See also, Basic HHS Policy for Protection of Human Research Subjects et al

Each agency that has implemented the Common Rule includes in its chapter of the Code of Federal Regulations section numbers and language that are identical to those of the HHS codification at 45 CFR part 46, subpart A. For the complete list and chapters of the CFR see:https://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.html.

Supplemental Material

U.S. Department of Health and Human Services

Office for Human Research Protections (OHRP)

Office for Protection from Research Risks (OPRR)

Food and Drug Administration (FDA)

Clinical Trials and Human Subject Protection

The Communications Act of 1934

47 U.S.C. §§ et seq 47 U.S.C. § 222, Privacy of Customer Information
47 U.S.C. § 338(i), Privacy Rights of Satellite Subscribers
47 U.S.C. § 551, Protection of Subscriber Privacy
47 U.S.C. § 605, Unauthorized Publication or Use of Communications
See also, The Communications Act of 1934

Overview

The Communications Act of 1934 (the “Act”) combined and organized federal regulation of telephone, telegraph, and radio communications. The Act created the Federal Communications Commission (FCC) to oversee and regulate these industries. The Act is updated periodically to add provisions governing new communications technologies, such as broadcast, cable and satellite television. The Act, as amended, is an expansive statue regulating U.S. telephone, telegraph, television, and radio communications. Its seven subchapters regulate virtually all aspects of the communications and broadcasting industry, including assignment of frequencies, rates and fees, standards, competition, terms of subscriber access, commercials, broadcasting in the public interest, government use of communications systems. The Act also provides for more detailed regulation and oversight via the establishment of the FCC.

Source: The Communications Act of 1934

Regulations

47 C.F.R. Part 64 Subpart U – Customer Proprietary Network Information

Statutory Implementation Guidance

Federal Communications Commission (FCC)

Note: most FCC rules are adopted by a process known as “notice and comment” rule-making. Under that process, the FCC gives the public notice that it is considering adopting or modifying rules on a particular subject and seeks the public’s comment. The FCC considers the comments received in developing final rules.

Supplemental Material

Federal Communications Commission (FCC)

Protecting Your Privacy: Phone and Cable Records

U.S. Department of Justice

U.S. Attorneys’ Manual, 47 U.S.C. § 605

Office of Justice Programs, Bureau of Justice Assistance

The Communications Act of 1934

Drug Abuse Prevention, Treatment, and Rehabilitation Act (Confidentiality of Alcohol and Drug Abuse Patient Records) (Part 2)

42 U.S.C § 290dd–2

Overview

Confidentiality of substance use disorder (alcohol and drug abuse) patient records is required under 42 U.S.C § 290dd–2 and 42 C.F.R Part 2. The statute and regulation require that records related to patient treatment of substance use disorders remain confidential subject to certain specific exceptions or patient consent to disclose such information. The statute extends to cover “any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”T

Source: Listening Session Comments on Substance Abuse Treatment Confidentiality Regulations

Helpful Tips

The Confidentiality of Alcohol and Drug Abuse Patient Records regulations, 42 C.F.R. Part 2, implement section 543 of the Public Health Service Act, 42 U.S.C. § 290dd-2, as amended by section 131 of the Alcohol, Drug Abuse and Mental Health Administration (ADAMHA) Reorganization Act, Public Law 102-321. The regulations were promulgated as a final rule on July 1, 1975 (40 FR 27802).

The restrictions of these regulations upon the disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C. § 1175). That section as amended was transferred by Public Law 98-24 to section 527 of the Public Health Service Act, which is codified at 42 U.S.C. § 290ee-3 (See 42 C.F.R. § 2.1<).

In addition, the restrictions of these regulations upon the disclosure and use of alcohol abuse patient records were initially authorized by section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C. § 4582). The section as amended was transferred by Public Law 98-24 to section 523 of the Public Health Service Act which is codified at 42 U.S.C. § 290dd-3. (See 42 C.F.R. § 2.2).

Regulations

42 C.F.R. Part 2 Confidentiality of Alcohol and Drug Abuse Patient Records

Supplemental Material

U.S. Department of Health and Human Services

Substance Abuse and Mental Health Services Administration (SAMHSA)

E-Government Act of 2002 – Section 208 (E-Government Act)

44 U.S.C. § 3501 note
See also, Public Law 107-347

Overview

The availability of information, from personal information to public information, is made all the easier today due to technological changes in computers, digitized networks, internet access, and the creation of new information products. The E-Government Act of 2002 recognized that these advances also have important ramifications for the protection of personal information contained in government records and systems.

Privacy Impact Assessments (“PIAs”) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new information technology involving the collection, maintenance, or dissemination of information in identifiable form or that make substantial changes to existing information technology that manages information in identifiable form. A PIA is an analysis of how information in identifiable form is collected, stored, protected, shared, and managed. The purpose of a PIA is to demonstrate that system owners and developers have incorporated privacy protections throughout the entire life cycle of a system. The Act requires an agency to make PIAs publicly available, except when an agency in its discretion determines publication of the PIA would raise security concerns, reveal classified (i.e., national security) information, or sensitive (e.g., potentially damaging to a nation interest, law enforcement effort or competitive business interest contained in the assessment) information.

Source: E-government Act of 2002, Department of Justice

Helpful Tips

Several provisions of law were established in the E-Government Act of 2002 (Public Law 107-347), including the Federal Information Security Modernization Act of 2014 and the Confidential Information Protection and Statistical Efficiency Act of 2002. This page is specific to the privacy provisions of section 208 of the E-Government Act of 2002, codified at 44 U.S.C. § 3501 note, which pertain to privacy impact assessments and privacy protections on agency websites.

Statutory Implementation Guidance

Office of Management and Budget

Executive Orders, Memoranda, and Directives

OMB Memorandum M-05-04, Policies for Federal Agency Public Websites (Dec. 2004)

Electronic Communications Privacy Act of 1986 (ECPA)

18 U.S.C. §§ 1367, 2521, 2701 – 2712,3117, 3121 – 3127

18 U.S.C. § 2510 – 2522 Wire and Electronic Communications Interception and Interception of Oral Communications (Wiretap Act)
18 U.S.C. §§ 2701-12. Stored Wire and Electronic Communications and Transactional Records Access (Stored Communications Act)
18 U.S.C. §§ 3121 – 3227 Pen Registers and Trap and Trace Devices
See also: Public Law 99-508

Overview

The Electronic Communications Privacy Act (ECPA) of 1986 created additional privacy protections for stored electronic communications and updated the Federal Wiretap Act to cover electronic communications as well as oral and wire communications. Title II of the ECPA established a comprehensive system of protections for stored communications codified at 18 U.S.C. §§ 2701-2712 which has come to be referred to as the Stored Communications Act (SCA). The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically

Source: Justice Information Sharing, Electronic Communications Privacy Act of 1986

Helpful Tips

ECPA has three titles:

Title I of the ECPA, which is often referred to as the Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or ‘procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.” There are exceptions. Title I also prohibits the use of illegally obtained communications as evidence. [18 U.S.C. § 2515].

Title II of the ECPA, which is called the Stored Communications Act (SCA), protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers, such as subscriber name, billing records, or IP addresses. [18 U.S.C. §§ 2701-12].

Title III of the ECPA, which addresses pen register and trap and trace devices, requires government entities to obtain a court order authorizing the installation and use of a pen register (a device that captures the dialed numbers and related information to which outgoing calls or communications are made by the subject) and/or a trap and trace (a device that captures the numbers and related information from which incoming calls and communications coming to the subject have originated). No actual communications are intercepted by a pen register or trap and trace. [18 U.S.C. §§ 3121 – 3227]

Amendments. The ECPA was significantly amended by the Communications Assistance to Law Enforcement Act (CALEA) in 1994, the USA PATRIOT Act in 2001, the USA PATRIOT reauthorization acts in 2006, and the FISA Amendments Act of 2008. Other acts have made specific amendments of lesser significance.

Source: Justice Information Sharing, Electronic Communications Privacy Act of 1986

Supplemental Material

U.S. Department of Justice

U.S. Mission to the European Union

Five Myths Regarding Privacy and Law Enforcement Access to Personal Information in the European Union and the United States, October 2012

Other Materials

Big Data: Seizing Opportunities, Preserving Values

Fair Credit Reporting Act (FCRA)

15 U.S.C. § 1681

Overview

Overview The Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. If your company meets the definition of a “consumer reporting agency” (CRA), if you furnish information to CRAs, or if you use that information for certain purposes, you may have obligations under the FCRA.

Source: Federal Trade Commission, Credit Reporting

Regulations

12 C.F.R. §1022
16 C.F.R. § 681
16 C.F.R. § 682

Statutory Implementation Guidance

U.S. Chief Human Capital Officers Council (CHCO)

Governmentwide Guidance to Ensure Fair Employment Opportunities for Applicants Who Are Unemployed or Facing Financial Difficulty Through No Fault of Their Own

Office of Personnel Management (OPM)

Notice No. 15-01: Reminder Regarding Requirements of the Fair Credit Reporting Act
Letter No. 98-02: Background Investigations

Supplemental Material

Consumer Financial Protection Bureau (CFPB)

Federal Trade Commission (FTC)
National Credit Union Administration (NCUA)

Federal Agency Data Mining Reporting Act of 2007 (FADMRA)

42 U.S.C. § 2000ee-3

Overview

The Federal Agency Data Mining Reporting Act of 2007 (FADMRA) is contained in section 803 of the Implementing the Recommendations of the 9/11 Commission Act of 2007. The FADMRA provides that the head of each department or agency of the Federal Government that is engaged in any “pattern-based” data mining activity shall submit a report to Congress on all such activities of the department or agency under the jurisdiction of that official. The report shall be produced in coordination with the privacy officer of that department or agency, if applicable, and shall be made available to the public, except for an annex as described in subparagraph (c).

Federal Information Security Modernization Act of 2014 (FISMA)

44 U.S.C. Chapter 35 (44 U.S.C. §§ 3551-3558)

Overview

The Federal Information Security Modernization Act requires each agency to develop, document, and implement an agency-wide information security program that includes plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Source: OMB Circular No. A-130, Managing Information as a Strategic Resource (July 2016)

Helpful Tips

The Federal Information Security Modernization Act of 2014 (FISMA) was codified in the E-Government Act of 2002 as the Federal Information Security Management Act of 2002 (44 U.S.C. § 3501 note), and was reauthorized in 2014 (Pub. L. 113-283). The statute pertains to information security, which is defined as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: a) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; b) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and c) availability, which means ensuring timely and reliable access to and use of information.”
Source: 44 U.S.C. § 3552(b)(3)

Executive Orders, Memoranda, and Directives

Office of Management and Budget

OMB Circular No. A-130, Managing Information as a Strategic Resource (July 2016)

Supplemental Material

Office of Management and Budget (OMB)

U.S. Department of Commerce

National Institute of Standards and Technology (NIST)

U.S. Department of Homeland Security

Computer Security Division, Computer Security Resource Center, Federal Information Security Management Act (FISMA) Implementation Project
- FY 2016 Senior Agency Official for Privacy Federal Information Security Modernization Act of 2014 Reporting Metrics
- Federal Information Security Modernization Act (FISMA) of 2014 information page

Federal Records Act of 1950 (FRA)

44 U.S.C. Chapter 31 et seq

Overview

The FRA provides that “the head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.” [44 U.S.C. § 3101]

The implementation of the FRA is overseen by the Archivist of the United States, who heads the National Archives and Records Administration (NARA). The Archivist provides “guidance and assistance to Federal agencies with respect to ensuring adequate and proper documentation of the policies and transactions of the Federal Government and ensuring proper records disposition.” [44 U.S.C. § 2904]

Regulations

36 C.F.R. Chapter XII Subchapter B Records Management
36 C.F.R. Part 1236 Electronic Records Management

Foreign Intelligence Surveillance Act of 1978 and Amendments (FISA)

50 U.S.C. 1801 et seq
See also: Public Law 95-511

Overview

FISA authorizes electronic surveillance and other activities to obtain foreign intelligence information. FISA has been amended repeatedly since 1978, including the FISA Amendments Act (FAA) of 2008 containing Section 702 (reflected in Title VII below) and most recently by the USA FREEDOM Act of 2015 (reflected in the various titles below). The titles of FISA are:

Title I – Electronic Surveillance within the United States for Foreign Intelligence Purposes
Title II – Conforming Amendments
Title III – Physical Searches within the United States for Foreign Intelligence Purposes
Title IV – Pen Registers and Trap and Trace Surveillance Devices for Foreign Intelligence Purposes
Title V – Access to Certain Business Records for Foreign Intelligence Purposes
Title VI – Reporting Requirement
Title VII – Additional Procedures Regarding Certain Persons Outside the United States
Title VIII – Protection of Person Assisting the Government

Helpful Tips

Sec. 101. Definition. (50 U.S.C. § 1801)
Sec. 102. Electronic surveillance authorization without court order; certification by Attorney General; reports to Congressional committees; transmittal under seal; duties and compensation of communication common carrier; applications; jurisdiction of court. (50 U.S.C. § 1802)
Sec. 104. Applications for court orders. (50 U.S.C. § 1804)
Sec. 105. Issuance or order. (50 U.S.C. § 1805)
Sec. 106. Use of information. (50 U.S.C. § 1806)
Sec. 301. Definitions. (50 U.S.C. § 1821)
Sec. 302. Authorization of physical searches for foreign intelligence purposes. (50 U.S.C. § 1822)
Sec. 303. Application for order. (50 U.S.C. § 1823)
Sec. 304. Issuance of order. (50 U.S.C. § 1824)
Sec. 305. Use of information. (50 U.S.C. § 1825)
Sec. 401. Definitions. (50 U.S.C. § 1841)
Sec. 402. Pen registers and trap and trace devices for foreign intelligence and international terrorism investigations. (50 U.S.C. § 1842)
Sec. 501. Access to certain business records for foreign intelligence and international terrorism investigations. (50 U.S.C. § 1861)
Sec. 601. Semiannual report of the Attorney General. (50 U.S.C. § 1871)
Sec. 602. Declassification of Signification Decisions, Orders, and Opinions. (50 U.S.C. § 1872)
Sec. 603. Annual Reports. (50 U.S.C. § 1873)
Sec. 702. Procedures for targeting certain persons outside the United States other than United States persons. (50 U.S.C. § 1881a)
Sec. 703. Certain acquisitions inside the United States targeting United States persons outside the United States. (50 U.S.C. § 1881b)
Sec. 704. Other acquisitions targeting United States persons outside the United States. (50 U.S.C. § 1881c)
Sec. 705. Joint applications and concurrent authorizations. (50 U.S.C. § 1881d)
Sec. 706. Use of information acquired under this subchapter. (50 U.S.C. § 1881e)

Freedom of Information Act (FOIA)

5 U.S.C. § 552

Overview

Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.

Statutory Implementation Guidance

U.S. Department of Justice

Department of Justice Guide to the Freedom of Information Act

Supplemental Material

U.S. Department of Justice

Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act)

Pub.L. 114-23, 129 Stat. 268

Overview

The ‘‘Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015’’ or the ‘‘USA FREEDOM Act of 2015’’ was enacted “to reform the authorities of the Federal Government to require the production of certain business records [e.g., call detail records], conduct electronic surveillance, use pen registers and trap and trace devices, and use other forms of information gathering for foreign intelligence, counterterrorism, and criminal purposes, and for other purposes.”

Source: Pub.L. 114-23, 129 Stat. 268

Helpful Tips

The USA FREEDOM Act was enacted June 2, 2015, amending the Foreign Intelligence Surveillance Act of 1978 (FISA).

TITLE I—FISA Business Records Reforms
TITLE II— FISA Pen Register and Trap and Trace Device Reform
TITLE III— FISA Acquisitions Targeting Persons outside the United States
TITLE IV— Foreign Intelligence Court Reforms
TITLE V— National Security Letter Reform
TITLE VI— FISA Transparency and Reporting Requirements
TITLE VII— Enhanced National Security Provisions
TITLE VIII— Safety of Maritime Navigation and Nuclear Terrorism Conventions Implementation

Supplemental Material

Loretta E. Lynch, Attorney General of the United States

“Minimization Procedures Used by the National Security Agency in connection with the Production of Call Detail Records Pursuant to Section 501 of the Foreign Intelligence Surveillance Act, as amended,” November 24, 2015

National Security Agency (NSA) Civil Liberties and Privacy Office

Transparency Report: The USA FREEDOM Act Business Records FISA Implementation, January 15, 2016

Privacy and Civil Liberties Oversight Board (PCLOB)

Recommendations Assessment Report, February 5, 2016

U.S. Department of Justice, Federal Bureau of Investigation (FBI)

Termination Procedures for National Security Letter Nondisclosure Requirement, November 24, 2015

Director of the Administrative Office of the U.S. Courts

•Report of the Director of the Administrative Office of the U.S. Courts on Activities of the Foreign Intelligence Surveillance Courts for 2015

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule

42 U.S.C. § 17932

Overview

Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (the “Act”) requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of the U.S. Department of Health and Human Services (HHS) following the discovery of a breach of unsecured protected health information. In some cases, the Act requires covered entities also to provide notification to the media of breaches. In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary to post on an HHS Web site a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals.

The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of HITECH and the Genetic Information Nondiscrimination Act (GINA).

Source: Health Information Privacy: Breach Notification Rule

Helpful Tips

The U.S. Department of Health and Human Services added a new subpart D to part 164 of title 45 of the Code of Federal Regulations (CFR) to implement the breach notification provisions of section 13402 of the HITECH Act. In developing the interim final rule, the Department consulted closely with the Federal Trade Commission (FTC), which administers similar breach notification requirements on vendors of personal health records (PHRs) and their third party service providers under section 13407 of the HITECH Act. The interim final rule and FTC’s Health Breach Notification Rule (74 FR 42962, published August 25, 2009) made clear that entities operating as HIPAA covered entities and business associates are subject to HHS’, and not the FTC’s, breach notification rule. Second, to address those limited cases where an entity may be subject to both HHS’ and the FTC’s rules, such as a vendor that offers PHRs to customers of a HIPAA covered entity as a business associate and also offers PHRs directly to the public, both sets of regulations were harmonized by including the same or similar language, within the constraints of the statutory language. The HHS rule was finalized in 2013.

Source: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (78 FR 5566, January 25, 2013)

Supplemental Material

U.S. Department of Health and Human Services

U.S. Department of Defense, Defense Health Agency (DHA) Privacy and Civil Liberties Office

HIPAA Compliance within the Military Health Systems

U.S. Federal Trade Commission (FTC)

Health Insurance Portability and Accountability Act of 1996 Privacy Rule

Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)

45 C.F.R. Part 160
45 C.F.R. Part 164 Subparts A and E

Overview

The HIPAA Privacy Rule, adopted by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Sources:
Health Information Privacy: The HIPAA Privacy Rule
The Health Insurance Portability and Accountability Act of 1996

Helpful Tips

The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 C.F.R. Part 160, Part 162, and Part 164, and includes:

Transactions and Code Set Standards
Identifier Standards
Privacy Rule
Security Rule
Enforcement Rule
Breach Notification Rule

Source: Health Information Privacy, Complete Text of All Rules

Supplemental Material

U.S. Department of Veterans Affairs, Office of General Counsel

U.S. Department of Defense, Defense Health Agency (DHA) Privacy and Civil Liberties Office

HIPAA Information

U.S. Department of Defense, Defense Health Agency (DHA) Privacy and Civil Liberties Office

HIPAA Compliance within the Military Health Systems

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule

Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)

Overview

The HIPAA Security Rule, adopted by the U.S. Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Sources:
Health Information Privacy, The Security Rule
Health Information Portability and Accountability Act of 1996

Helpful Tips

The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 C.F.R. Part 160, Part 162, and Part 164, and includes:

Transactions and Code Set Standards
Identifier Standards
Privacy Rule/LI Security Rule
Enforcement Rule
Breach Notification Rule

Source: Health Information Privacy, Combined Text of All Rules

The Administrative Simplification provisions of HIPAA, Title II required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). The text of the final regulation can be found at 45 C.F.R. Part 160 and Part 164, Subparts A and C.

Supplemental Material

U.S. Department of Health and Human Services (HHS)

U.S. Department of Veterans Affairs (VA)

VA Mobile, Data Security

U.S. Department of Defense, Defense Health Agency (DHA) Privacy and Civil Liberties Office

HIPAA Compliance within the Military Health Systems

Homeland Security Act of 2002

6 USC § 101 et seq

Overview

The Homeland Security Act of 2002 charges the Department of Homeland Security (DHS) Chief Privacy Officer with primary responsibility for ensuring that privacy considerations and protections are integrated into all DHS programs, policies, and procedures. The Chief Privacy Officer serves as the principal advisor to the DHS Secretary on privacy policy.

The activities of the Privacy Office serve to build privacy into departmental programs.

Sources:
Department of Homeland Security, Privacy Office, “Fiscal Year 2016 Semiannual Report to Congress: For the period October 1, 2015 – March 31, 2016,” July 6, 2016
DHS, Authorities and Responsibilities of the Chief Privacy Officer

Helpful Tips

More information can be found in the following resources:

Sec. 222. Privacy Officer. (6 U.S.C. § 142)
Sec. 1004. Information Security and Privacy Advisory Board. (15 U.S.C. § 278g-4)
Sec. 1601. Retention of security sensitive information authority at Department of Transportation. (49 U.S.C. § 40119)

Subsequent amendments, Pub.L. 110-53, Implementing Recommendations of the 9/11 Commission Act of 2007

Executive Orders, Memoranda, and Directives

Immigration and Nationality Act of 1952 (INA)

8 U.S.C. §§ 1101 et seq

Overview

The Immigration and Nationality Act, or INA, was created in 1952. The Act has been amended many times over the years, but is still the basic body of immigration law. The INA is divided into titles, chapters, and sections. Although it stands alone as a body of law, the Act is also contained in the United States Code (U.S.C.). When browsing the INA or other statutes you will often see reference to the U.S. Code citation. For example, Section 208 of the INA deals with asylum, and is also contained in 8 U.S.C. 1158. Although it is correct to refer to a specific section by either its INA citation or its U.S. Code citation, the INA citation is more commonly used.

Source: Immigration and Nationality Act

Helpful Tips

Enforcement of the INA, including protection of confidentiality and privacy, involves multiple agencies, including but not limited to the U.S. Department of State, Customs and Border Protection, U.S. Citizenship and Immigration Services, U.S. Immigration and Customs Enforcement, and the U.S. Department of Labor.

Regulations

8 C.F.R. et seq
22 C.F.R. et seq (Vol. 1 (Parts 1-299) and Vol 2. (Parts 300-1799))

Executive Orders, Memoranda, and Directives

Supplemental Material

Department of State

Department of Homeland Security

Violence Against Women Act (VAWA) Confidentiality Provisions at DHS

U.S. Citizenship and Immigration Services (USCIS)

Customs and Border Patrol

Frequently Asked Questions: Privacy (CBP)

U.S. Immigration and Customs Enforcement

Office of Information Governance and Privacy (ICE)

Department of Labor

Popular Topics: Immigration

Implementing Recommendations of the 9/11 Commission Act of 2007

6 U.S.C. 101 et seq

Overview

This Act amended section 1016 of Intelligence Reform and Terrorism Prevention Act (IRTPA) and amended the Homeland Security Act of 2002 to expand and further refine the scope of the Information Sharing Environment (ISE).

Helpful Tips

More information can be found in the following resources:

Sec. 504. Information sharing. (6 U.S.C. § 485)
Sec. 511. Department of Homeland Security State, Local, and Regional Fusion Center Initiative. (6 U.S.C. § 121 et seq)
Sec. 801. Modification of authorities relating to Privacy and Civil Liberties Oversight Board. (5 U.S.C. § 601 note)
Sec. 802. Department Privacy Officer. (6 U.S.C. § 142)
Sec. 803. Privacy and Civil Liberties Officers. (42 U.S.C. § 2000ee-1)
Sec. 804. Federal Agency Data Mining Reporting Act of 2007. (42 U.S.C. § 2000ee-3)
Sec. 1606. Appeal and redress process for passengers wrongly delayed or prohibited from boarding a flight. (49 U.S.C. § 44926)

Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)

Pub. L. 108-458

Office of the Director of National Intelligence Legal Reference Book

Overview

IRTPA addresses many different facets of information gathering and the intelligence community. IRPTA’s eight titles reflect its broad scope:

Title I – Reform of the Intelligence Community
Title II – Federal Bureau of Investigation
Title III – Security Clearances
Title IV – Transportation Security
Title V – Border Protection, Immigration, and Visa Matters
Title VI – Terrorism Prevention
Title VII – Implementation of 9/11 Commission Recommendations
Title VIII – Other Matters, including a requirement that the Department of Homeland Security ensure that the civil rights and civil liberties of persons are not diminished by efforts, activities, and programs aimed at securing the homeland.

Helpful Tips

More information can be found in the following resources:

Sec. 1011. Reorganization and improvement of management of intelligence community. (50 U.S.C. § 3021 et seq)
Sec. 103D. Civil Liberties Protection Officer. (50 U.S.C. § 3029)
Sec. 1016. Information sharing. (6 U.S.C. § 485)
Sec. 1061. Privacy and Civil Liberties Oversight Board. (42 U.S.C. § 2000ee et seq)
Sec. 1062. Sense of Congress on Designation of Privacy and Civil Liberties Officers. (Pub.L. 108-458)
Sec. 4012. Advanced airline passenger prescreening. (49 U.S.C. § 44903(j)(2))
Sec. 6002. Additional semiannual reporting requirements under the Foreign Intelligence Surveillance Act of 1978. (50 U.S.C. § 1871)
Sec. 7212. Driver’s licenses and personal identification cards. (49 U.S.C. § 30301 note)
Sec. 8302. Mission of Department of Homeland Security. (6 U.S.C. § 111(b)(1))
Sec. 8303. Officer for Civil Rights and Civil Liberties. (6 U.S.C. § 345(a))
Sec. 8304. Protection of civil rights and civil liberties by Office of Inspector General. (5 U.S.C. App. Inspector General Act of 1978)
Sec. 8305. Privacy officer. (6 U.S.C. § 142)

Executive Orders, Memoranda, and Directives

Paperwork Reduction Act of 1995 (PRA)

44 U.S.C. Chapter 35 et seq

Overview

The Paperwork Reduction Act (PRA), signed into law in 1980 and reauthorized in 1995, provides the statutory framework for the Federal government’s collection, use, and dissemination of information. The goals of the PRA include (1) minimizing paperwork and reporting burdens on the American public and (2) ensuring the maximum possible utility from the information that is collected.

In support of these goals, the PRA requires Federal agencies to take specific steps before requiring or requesting information from the public. These steps include (1) seeking public comment on proposed information collections and (2) submitting proposed collections for review and approval by the Office of Management and Budget (OMB). Within OMB, the Office of Information and Regulatory Affairs (OIRA) carries out the information collection review.

One of the purposes of the Paperwork Reduction Act is to “ensure that the creation, collection, maintenance, use, dissemination, and disposition of information by or for the Federal Government is consistent with applicable laws, including laws relating to (A) privacy and confidentiality, including section 552a of title 5; (B) security of information, including section 11332 of title 40; and (C) access to information, including section 552 of title 5.” 44 U.S.C. § 3501(8).

Source: Office of Information and Regulatory Affairs – Regulations and the Rule Making Process

Helpful Tips

The Paperwork Reduction Act was signed into law in 1980, reauthorized in 1995, and subsequently amended.

Regulations

5 C.F.R. § 1320

Executive Orders, Memoranda, and Directives

Office of Management and Budget

Privacy Act of 1974 (Privacy Act)

5 U.S.C. § 552a

Overview

The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

The Privacy Act requires U.S. Government agencies give public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

Source: U.S. Department of Justice – Privacy Act of 1974

Helpful Tips

The Computer Matching and Privacy Protection Act of 1988 (Pub. Law 100-503), amended the Privacy Act to include provisions governing computer-matching activities – those provisions have been incorporated into the Privacy Act.

Section 7 of Public Law 93-579, regarding Social Security numbers was originally part of the Privacy Act, but was not codified; it may be found at §552a in the note section. Similarly, Sections 6 and 9 of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988, may also be found at §552a in the note section.

Statutory Implementation Guidance

Office of Management and Budget

Executive Orders, Memoranda, and Directives

OMB Memorandum for Privacy Act Officers of Departments and Agencies

Status of Biennial Reporting Requirements under the Privacy Act and the Computer Matching and Privacy Protection Act (June 21, 2000)

OMB Memorandum for Agency Chief Information Officers

Biennial Privacy Act and Computer Matching Reports (June 1998)

OMB Memorandum for the Chief Information Officers

Privacy Act Responsibilities for Implementing the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (November 3, 1997)

OMB Memorandum for the Senior Agency Officials for Information Resources Management

•Privacy Act Guidance — Update (May 24, 1985)

OMB Memorandum M-83-11, Guidelines on the Relationship Between the Privacy Act of 1974 and the Debt Collection Act of 1982

Privacy Act Guidance — Update (May 24, 1985)

OMB Memorandum to the Heads of Executive Departments and Establishments

Congressional Inquiries which Entail Access to Personal Information Subject to the Privacy Act (October 3, 1975)

Supplemental Material

Overview of the Privacy Act of 1974, U.S. Department of Justice

Title V – Confidential Information Protection and Statistical Efficiency Act of 2002 of the E-Government Act of 2002 (CIPSEA)

44 U.S.C. § 3501 note

Overview

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality protections for statistical information collections, such as surveys and censuses, as well as for other statistical activities, such as data analysis, modeling, and sample design, that are sponsored or conducted by Federal agencies.

Source: Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA)