Sec. 313. Report on sensitive commercially available information
1,399 words·~6 min read·
/bill/118/s/4443/rs/section-313·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The term commercially available information means— any data or other information of the type customarily made available or obtainable and sold, leased, or licensed to members of the general public or to non-governmental entities for purposes other than governmental purposes; or data and information for exclusive government use knowingly and voluntarily provided by, procured from, or made accessible by corporate entities on their own initiative or at the request of a government entity.
The term personally identifiable information means information that, alone or when combined with other information regarding an individual, can be used to distinguish or trace the identity of such individual. The term sensitive activities means activities that, over an extended period of time— establish a pattern of life; reveal personal affiliations, preferences, or identifiers; facilitate prediction of future acts; enable targeting activities; reveal the exercise of individual rights and freedoms, including the rights to freedom of speech and of the press, to free exercise of religion, to peaceably assemble, including membership or participation in organizations or associations, and to petition the government; or reveal any other activity the disclosure of which could cause substantial harm, embarrassment, inconvenience, or unfairness to the United States person who engaged in the activity.
The term sensitive commercially available information — means commercially available information that is known or reasonably expected to contain— a substantial volume of personally identifiable information regarding United States persons; or a greater than de minims volume of sensitive data; shall not include— newspapers or other periodicals; weather reports; books; journal articles or other published works; public filings or records; documents or databases similar to those described in clauses
(i)through (v), whether accessed through a subscription or accessible free of cost; or limited data samples made available to elements of the intelligence community for the purposes of allowing such elements to determine whether to purchase the full dataset and not accessed, retained, or used for any other purpose. The term sensitive data means data that— captures personal attributes, conditions, or identifiers that are traceable to 1 or more specific United States persons, either through the dataset or by correlating the dataset with other available information; and concerns the race or ethnicity, political opinions, religious beliefs, sexual orientation, gender identity, medical or genetic information, financial data, or any other data with respect to such specific United States person or United States persons the disclosure of which would have the potential to cause substantial harm, embarrassment, inconvenience, or unfairness to the United States person or United States persons described by the data; or captures the sensitive activities of 1 or more United States persons. The term United States person means— a United States citizen or an alien lawfully admitted for permanent residence to the United States; an unorganized association substantially composed of United States citizens or permanent resident aliens; or an entity organized under the laws of the United States or of any jurisdiction within the United States, with the exception of any such entity directed or controlled by a foreign government. Not later than 60 days after the date of the enactment of this Act, and annually thereafter, the head of each element of the intelligence community shall submit to the congressional intelligence committees a report on the access to, collection, processing, and use of sensitive commercially available information by the respective element. For each dataset containing sensitive commercially available information accessed, collected, processed, or used by the element concerned for purposes other than research and development, a report required by paragraph
(1)shall include the following: A description of the nature and volume of the sensitive commercially available information accessed or collected by the element. A description of the mission or administrative need or function for which the sensitive commercially available information is accessed or collected, and of the nature, scope, reliability, and timeliness of the dataset required to fulfill such mission or administrative need or function. A description of the purpose of the access, collection, or processing, and the intended use of the sensitive commercially available information. An identification of the legal authority for the collection or access, and processing of the sensitive commercially available information. An identification of the source of the sensitive commercially available information and the persons from whom the sensitive commercially available information was accessed or collected. A description of the mechanics of the access, collection, and processing of the sensitive commercially available information, including the Federal entities that participated in the procurement process. A description of the method by which the element has limited the access to and collection and processing of the sensitive commercially available information to the maximum extent feasible consistent with the need to fulfill the mission or administrative need. An assessment of whether the mission or administrative need can be fulfilled if reasonably available privacy-enhancing techniques, such as filtering or anonymizing, the application of traditional safeguards, including access limitations and retention limits, differential privacy techniques, or other information-masking techniques, such as restrictions or correlation, are implemented with respect to information concerning United States persons. An assessment of the privacy and civil liberties risks associated with accessing, collecting, or processing the data and the methods by which the element mitigates such risks. An assessment of the applicability of section 552a of title 5, United States Code (commonly referred to as the Privacy Act of 1974 ), if any. To the extent feasible, an assessment of the original source of the data and the method through which the dataset was generated and aggregated, and whether any element of the intelligence community previously accessed or collected the same or similar sensitive commercially available information from the source. An assessment of the quality and integrity of the data, including, as appropriate, whether the sensitive commercially available information reflects any underlying biases or inferences, and efforts to ensure that any intelligence products created with the data are consistent with the standards of the intelligence community for accuracy and objectivity. An assessment of the security, operational, and counterintelligence risks associated with the means of accessing or collecting the data, and recommendations for how the element could mitigate such risks. A description of the system in which the data is retained and processed and how the system is properly secured while allowing for effective implementation, management, and audit, as practicable, of relevant privacy and civil liberties protections. An assessment of security risks posed by the system architecture of vendors providing sensitive commercially available information or access to such sensitive commercially available information, access restrictions for the data repository of each such vendor, and the vendor's access to query terms and, if any, relevant safeguards. A description of procedures to restrict access to the sensitive commercially available information. A description of procedures for conducting, approving, documenting, and auditing queries, searches, or correlations with respect to the sensitive commercially available information. A description of procedures for restricting dissemination of the sensitive commercially available information, including deletion of information of United States persons returned in response to a query or other search unless the information is assessed to be associated or potentially associated with the documented mission-related justification for the query or search. A description of masking and other privacy-enhancing techniques used by the element to protect sensitive commercially available information. A description of any retention and deletion policies. A determination of whether unevaluated data or information has been made available to other elements of the intelligence community or foreign partners and, if so, identification of those elements or partners. A description of any licensing agreements or contract restrictions with respect to the sensitive commercially available information. A data management plan for the lifecycle of the data, from access or collection to disposition. For any item required by clauses
(i)through (xxiii) that cannot be completed due to exigent circumstances relating to collecting, accessing, processing, or using sensitive commercially available information, a description of such exigent circumstances. For each dataset containing sensitive commercially available information accessed, collected, processed, or used by the element concerned solely for research and development purposes, a report required by paragraph
(1)may be limited to a description of the oversight by the element of such access, collection, process, and use. The Director of National Intelligence shall make available to the public, once every 2 years, a report on the policies and procedures of the intelligence community with respect to access to and collection, processing, and safeguarding of sensitive commercially available information.