SENATE DOCKET, NO. 566        FILED ON: 1/13/2009

SENATE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 931

The Commonwealth of Massachusetts

_______________

In the Year Two Thousand Nine

_______________

An Act regarding the Commonwealth Fusion Center and other intelligence data centers..

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
 

SECTION 1.  The General Laws are hereby amended by inserting after chapter 12B the following chapter:-

CHAPTER 12C

Office of Data Protection and Privacy Oversight for the Commonwealth Fusion Center and Other Intelligence Data Centers

Section 1.  As used in this chapter, the following words shall have the following meanings: --

“Boston Regional Intelligence Center”, that entity within the office of the police commissioner of the Boston police department responsible for collecting and analyzing intelligence data within the Metro-Boston homeland security region, or any successor entity.

“Commonwealth Fusion Center”, that entity established by Executive Order 476 within the executive office of public safety and homeland security.

“Office”, the office of data protection and privacy oversight for Massachusetts intelligence data centers.

“Intelligence data center”, any entity whose mission includes collecting, analyzing, and sharing intelligence data and other data for law enforcement or homeland security purposes, including the commonwealth fusion center and the Boston regional intelligence center.

“Personally identifiable information”, all personal data, as defined in section 1 of Chapter 66A of the General Laws, and any data element or combination of data elements that identifies or could be used to identify any individual, including, but not limited to, by any of the following:

name of person;

date of birth;

address of residence;

electronic password;

unique account number;

phone number;

biometric identifiers including signature, DNA, fingerprints, iris or retinal scans, palm telemetry, photograph, facial recognition measurements or any other biometric measurement; 

e-mail address; 

Internet Protocol address;

(10) web address; or

(11) any other unique identifier

Section 2.  There shall be an office of data protection and privacy oversight for intelligence data centers operating in Massachusetts, including the commonwealth fusion center, which shall be independent of any supervision or control by any executive agency.

Section 3.  The office shall be under the direction of a commissioner, who shall devote full time to his or her duties.

Section 4.  The commissioner shall be appointed by the unanimous vote of the governor, the president of the senate and the speaker of the house of representatives, and the secretary of the commonwealth, and shall serve for a term of three years.

Section 5.  The person so appointed shall be selected without regard to party affiliation and solely on the basis of integrity and demonstrated ability in data management, privacy protection, public administration, law, management analysis, or the administration of justice.

In case of a vacancy in the position of the commissioner, his or her successor shall be appointed in the same manner for the unexpired term.  No person shall be appointed for more than two three-year terms.

The person so appointed may be removed from office, for cause, by a majority vote of the attorney general, the state auditor, and the governor.  Such cause may include substantial neglect of duty, gross misconduct or conviction of a crime.  The reasons for removal of the commissioner shall be stated in writing and shall include the basis for such removal.  Such writing shall be sent to the clerk of the senate, the clerk of the house of representatives, the governor, and the secretary of the commonwealth at the time of the removal and shall be deemed to be a public document.

Section 6.  The commissioner may, subject to appropriation, appoint such other personnel as may be deemed necessary to perform the duties of the office.

The commissioner shall be authorized to apply for, and accept on behalf of the commonwealth, federal, local or private grants, bequests, gifts or contributions for the purpose of carrying out the functions of the office.

The commissioner shall develop procedures for the office appropriate to the effective performance of its duties.

Section 7.  The commissioner or his or her designees shall have access at any and all reasonable times to any facility, program, or portion thereof that is operated by intelligence data centers in the commonwealth, and to all records, reports, materials, and employees in order to carry out the responsibilities of the office.

Section 8.  The commissioner may request the attendance and testimony of witnesses and the production of documents, papers, books, records, reports, reviews, recommendations correspondence, data and other information that the commissioner reasonably believes is relevant to the oversight and reporting responsibilities of the office.  If a request is denied, the commissioner shall have the power to issue a subpoena for witnesses and the production of documents and any other data, in whatever form, including electronic, that the commissioner reasonably believes is relevant.  If any person to whom a subpoena is issued fails to appear, or having appeared, refuses to give testimony or fails to produce evidence required, the commissioner may apply to the superior court to issue an order to compel the testimony and production of documents of any such witnesses.  A failure to obey the order may be punished as contempt.  Any person or office or custodian of records to whom such a request or subpoena is directed may seek injunctive relief in the superior court to defer a subpoena issued by the commissioner.

Section 9.  The office shall:

examine, on a system-wide basis, the entire scope of the intelligence and other operations of intelligence data centers in Massachusetts;

investigate, evaluate, and analyze the particular procedures, both as written and in practice, employed by intelligence data centers in collecting data, including personally identifiable information, and in protecting the privacy and security of such information;

investigate, evaluate, and analyze the particular procedures, both written and in practice, employed by intelligence data centers to ensure that the activities of such centers do not infringe on the rights to freedom of assembly, association, and expression guaranteed by the United States constitution and the Massachusetts Declaration of Rights;

investigate, evaluate, and analyze the impact of any military involvement in intelligence data center activities;

investigate, evaluate, and analyze the impact of any private sector involvement in intelligence data center activities on the privacy and security of personally identifiable information;

investigate, evaluate, and analyze the quality, timeliness, completeness, accuracy and efficiency of intelligence data centers’ responses to individuals’ requests under the provisions of chapter 66A of the general laws;

issue semi-annual written reports, which shall be public records, and shall be filed with the clerks of the senate and house of representatives, and submitted to the governor, the chairs of the house and the senate ways and means committees, the chairs of the joint committees on the judiciary, on public safety and homeland security, on consumer protection and professional licensure, on economic development and emerging technologies, and on state administration and regulatory oversight.  The first report shall be filed on or before January 30, 2010;

assist and cooperate with the members of the great and general court and the several relevant committees, as noted, in convening and participating in annual public hearings concerning the operations of intelligence data centers in the commonwealth;

provide independent oversight of data and privacy protection functions at intelligence data centers, with regard to the collection, maintenance and storage, and any disclosure, transfer, or dissemination of personally identifiable information or intelligence data; 

advise the public and public officials in all branches and at all levels of state government about the data and privacy protection operations of the commonwealth fusion center and other intelligence data centers; and

make annual findings and recommendations concerning the operations of the commonwealth fusion center and other intelligence centers and submit appropriate legislation to address identified issues.

SECTION 2.  Chapter 276 of the General Laws is hereby amended by striking out section 1A, as appearing in the 2006 Official Edition, and inserting in place thereof the following section:-

Section 1A.  No state or local law enforcement agency, prosecutorial office, or police or peace officer shall collect or maintain information about the political, religious or social views, associations or activities of any individual, group, association, organization, corporation, business or partnership or other entity unless such information directly relates to an investigation of criminal activities, and there are reasonable grounds to suspect the subject of the information is involved in criminal conduct.

SECTION 3.  Said Chapter 276 is hereby further amended by inserting after section 1A the following section:-

Section 1B.  Any information collected or maintained under section 1A of this chapter shall be referred to hereinafter as “protected information.”  No intelligence data center, as defined in chapter 12C of the General Laws, or state or local law enforcement agency in receipt of information from an intelligence data center, shall collect, maintain, or disseminate such information except in accordance with the provisions of this section:

No information shall be knowingly received, maintained, or disseminated that has been obtained in violation of any applicable federal, state, or local law, ordinance, or regulation.

All protected information shall be evaluated for the reliability of its source and the accuracy of its content prior to being recorded in any investigation file.

Protected information shall be disseminated only to law enforcement agencies, contingent upon review and prior written authorization by the head of the originating law enforcement agency or intelligence data center.  A record of any such written authorization shall be maintained for a minimum of five years.

All investigations undertaken on the basis of any protected information shall first be authorized in writing by the head of the investigating law enforcement agency or intelligence data center.  A record of any such written authorization shall be maintained in the corresponding investigation file  for a minimum of five years

All information recorded in any investigation file shall be reviewed at least once every five years, and any information that is not reliable, accurate, relevant, and timely, shall be destroyed, provided however, that any documents related to the authorization for and termination of investigations based in whole or in part on protected information collected under section 1A of this chapter, and any authorization to disseminate such protected information, shall be retained.

SECTION 4.  Section 3 of Chapter 66A of the General Laws, as appearing in the 2006 Official Edition, is hereby amended by inserting after the word “towns.”, at line 9, the following:-

The Secretary of Public Safety and Security shall promulgate rules and regulations to carry out the purposes of this chapter which shall be applicable to the Commonwealth Fusion Center and other intelligence data centers, including those operated by public safety entities of the cities and towns.