LibGuides: Information Privacy & Data Security: Federal Agency Resources

Federal Trade Commission (FTC)

The FTC is the chief federal agency for privacy policy and enforcement. This is based upon its responsibility for enforcing important privacy acts such as the Fair Credit Reporting Act and the Children's Online Privacy Protection Act (COPPA), the EU-US Privacy Shield agreement, as well from its exercise of authority to combat unfair and deceptive practices under the FTC Act. Its broad authority under section 5(a) of the FTC act has allowed it to emerge as the de facto information privacy regulator in the U.S., filling in gaps left by the rather fragmented, sector-by-sector approach favored thus far by Congress.

FTC privacy homepage
The starting point for understanding the FTC's role and activity in enforcing privacy rights. The FTC has multiple divisions, including the Division of Privacy and Identity Protection (DPIP).
more...less...
The DPIP enforces:
Section 5 of the FTC Act;
The Fair Credit Reporting Act;
The Gramm-Leach-Bliley Act;
The Children’s Online Privacy Protection Act; and
The Health Breach Notification Rule
FTC Act
While not expressly mentioning privacy, section 5(a) of the act has served as the FTC's authority for many privacy violation enforcement actions.

A recommended book for understanding the history of the FTC and specifically on its evolving role in enforcing privacy rights is Chris Jay Hoofnagle, Federal Trade Commission: Privacy Law & Policy (Cambridge Univ. Press, 2016). Main stacks: KF 1611 .H66 2016

A recommended article describing the FTC's development of a "common law" of privacy rights through its power to police unfair and deceptive trade practices is Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia L. Rev. 583 (2014).

Health & Human Services (HHS)

The department of Health & Human Services (HHS) is responsible for the protection of privacy for health information under HIPAA. Within the HHS, the Office of Civil Rights is in charge of enforcing the provisions of HIPAA and the implementing regulations. This website of HHS is the main page for information on HIPAA protections and enforcement.

Privacy and Security Framework
The OCR created this framework explaining six principles for protecting health information.
Records, Computers, and the Rights of Citizens (HEW 1973)
The Dept of Health, Education and Welfare (HEW) was the predecessor to the HHS. In 1973, it issued a highly influential report on privacy issues related to information stored on computers. It articulated a number of "fair information practice principles" (FIPP'S) which have formed the basis of many subsequent privacy policies and guidelines.

OMB (Office of Management & Budget)

The Office of Management and Budget (OMB) has responsibility for developing privacy policy for the executive branch of government. Numerous OMB memoranda, circulars and guidance documents have been issued since the 1970's providing guidance to federal agencies on: (1) the implementation of federal laws addressing privacy and data security, and (2) best practices to be followed with technology and information used by the federal government. This website of the OMB has links to all of these documents.

CRS Reports

CRS Reports
The Congressional Research Service (CRS) is a non-partisan policy research unit of the US Congress. The CRS has issued many reports on the subjects of privacy and data security. Its database of full-text reports is searchable by keyword. Until 2018, the CRS did not make its reports available to the public. Therefore its current database of reports is evolving and not yet complete.

CRS reports are also available through the HeinOnline database, which has a more extensive collection of reports. In HeinOnline, use the "U.S. Congressional Documents" database, and the advanced search feature allows filtering to only CRS reports, which can then be searched by keyword.

U.S. Department of Justice

The Justice Department has the Office of Privacy and Civil Liberties (OPCL). This office protects the public by ensuring the department's compliance with numerous federal laws related to privacy, including the Privacy Act of 1974, the E-Government Act of 2002 and the Federal Information Security Modernization Act of 2014. The OPCL provides oversight and coordination of the privacy procedure of the department and all its components. The OPCL's website is a good source for examining the policies and procedures put in place by an agency to ensure its compliance with the law.

Department of Education

Department of Education FERPA program
The Department of Education administers the requirements of FERPA and provides guidance and assistance to educational institutions covered by the statute and regulations. FERPA regulations are found at 34 CFR, Part 99.

Department of Commerce

US - EU Safe Harbor Framework
Following the implementation of the EU Data Protection Directive in 1998 a mechanism was needed to ensure that personal information flowing into the US met the EU data protection requirements. In 2000, after negotiations with the EU, the Department of Commerce began operating the Safe Harbor Framework, which was a method for US companies to certify that they were in compliance with EU standards. After many criticisms of the effectiveness of this program, the European Court of Justice rejected the Safe Harbor program in 2015. The replacement program is the EU-US Privacy Shield Framework, administered by the FTC.
more...less...
From the FTC: "To join the EU-U.S. Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce (“Commerce”) that it complies with a set of principles and related requirements that have been deemed by the European Commission as providing “adequate” privacy protection."