Page:United States Statutes at Large Volume 118.djvu/3299

 118 STAT. 3269 PUBLIC LAW 108–447—DEC. 8, 2004 of title 5, 11 United States Code, internal controls, and other relevant matters; (7) ensuring that the Department protects information in an identifiable form and information systems from unauthor ized access, use, disclosure, disruption, modification, or destruc tion; (8) training and educating employees on privacy and data protection policies to promote awareness of and compliance with established privacy and data protection policies; and (9) ensuring compliance with the Departments established privacy and data protection policies. (b) ESTABLISHING PRIVACY AND DATA PROTECTION PROCEDURES AND POLICIES.— (1) IN GENERAL.—Within 12 months of enactment of this Act, each agency shall establish and implement comprehensive privacy and data protection procedures governing the agency’s collection, use, sharing, disclosure, transfer, storage and secu rity of information in an identifiable form relating to the agency employees and the public. Such procedures shall be consistent with legal and regulatory guidance, including OMB regulations, the Privacy Act of 1974, and section 208 of the E Government Act of 2002. (c) RECORDING.—Each agency shall prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency. Each report shall be signed by the agency privacy officer to verify that the agency intends to comply with the proce dures in the report. By signing the report the privacy officer also verifies that the agency is only using information in identifiable form as detailed in the report. (d) INDEPENDENT, THIRD PARTY REVIEW.— (1) IN GENERAL.—At least every 2 years, each agency shall have performed an independent, third party review of the use of information in identifiable form as the privacy and data protection procedures of the agency to— (A) determine the accuracy of the description of the use of information in identifiable form; (B) determine the effectiveness of the privacy and data protection procedures; (C) ensure compliance with the stated privacy and data protection policies of the agency and applicable laws and regulations; and (D) ensure that all technologies used to collect, use, store, and disclose information in identifiable form allow for continuous auditing of compliance with stated privacy policies and practices governing the collection, use and distribution of information in the operation of the program. (2) PURPOSES.—The purposes of reviews under this sub section are to— (A) ensure the agency’s description of the use of information in an identifiable form is accurate and accounts for the agency’s current technology and its processing of information in an identifiable form; (B) measure actual privacy and data protection prac tices against the agency’s recorded privacy and data protec tion procedures; Deadlines. Reports.

�