You are here
Public Officers Law Article 6-A Personal Privacy Protection Law
Section
91. Short title.
92. Definitions.
93. Powers and duties of the committee.
94. Agency obligations.
95. Access to records.
96. Disclosure of records.
97. Civil remedies.
98. No waiver.
99. Executive authority.
§ 91. Short title. This article shall be known as the "personal privacy protection law".
§ 92. Definitions.
(1) Agency. The term "agency" means any state board, bureau, committee, commission, council, department, public authority, public benefit corporation, division, office or any other governmental entity performing a governmental or proprietary function for the state of New York, except the judiciary or the state legislature or any unit of local government and shall not include offices of district attorneys.
(2) Committee. The term "committee" means the committee on open government as constituted pursuant to subdivision one of section eighty-nine of this chapter.
(3) Data subject. The term "data subject" means any natural person about whom personal information has been collected by an agency.
(4) Disclose. The term "disclose" means to reveal, release, transfer, disseminate or otherwise communicate personal information or records orally, in writing or by electronic or any other means other than to the data subject.
(5) Governmental unit. The term "governmental unit" means any governmental entity performing a governmental or proprietary function for the federal government or for any state or any municipality thereof.
(6) Law. The term "law" means state or federal statute, rule or regulation.
(7) Personal information. The term "personal information" means any information concerning a data subject which, because of name, number, symbol, mark or other identifier, can be used to identify that data subject.
(8) Public safety agency record. The term "public safety agency record" means a record of the commission of correction, the temporary state commission of investigation, the department of correctional services, the division for youth, the division of parole, the crime victims board, the division of probation and correctional alternatives or the division of state police or of any agency or component thereof whose primary function is the enforcement of civil or criminal statutes if such record pertains to investigation, law enforcement, confinement of persons in correctional facilities or supervision of persons pursuant to criminal conviction or court order, and any records maintained by the division of criminal justice services pursuant to sections eight hundred thirty-seven, eight hundred thirty-seven-a, eight hundred thirty-seven-b, eight hundred thirty-seven-c, eight hundred thirty-eight, eight hundred thirty-nine, eight hundred forty-five, and eight hundred forty-five-a of the executive law and by the department of state pursuant to section ninety-nine of the executive law.
(9) Record. The term "record" means any item, collection or grouping of personal information about a data subject which is maintained and is retrievable by use of the name or other identifier of the data subject irrespective of the physical form or technology used to maintain such personal information. The term "record" shall not include personal information which is not used to make any determination about the data subject if it is:
(a) a telephone book or directory which is used exclusively for telephone and directory information;
(b) any card catalog, book or other resource material in any library;
(c) any compilation of information containing names and addresses only which is used exclusively for the purpose of mailing agency information;
(d) personal information required by law to be maintained, and required by law to be used, only for statistical research or reporting purposes;
(e) information requested by the agency which is necessary for the agency to answer unsolicited requests by the data subject for information; or
(f) correspondence files.
(10) Routine use. The term "routine use" means, with respect to the disclosure of a record or personal information, any use of such record or personal information relevant to the purpose for which it was collected, and which use is necessary to the statutory duties of the agency that collected or obtained the record or personal information, or necessary for that agency to operate a program specifically authorized by law.
(11) System of records. The term "system of records" means any group of records under the actual or constructive control of any agency pertaining to one or more data subjects from which personal information is retrievable by use of the name or other identifier of a data subject.
§ 93. Powers and duties of the committee.
(1) The committee shall prepare a directory derived from the information provided pursuant to section three of chapter six hundred seventy-seven of the laws of nineteen hundred eighty and subdivision four of section ninety-four of this article. The directory shall include the name of each system of records subject to the provisions of this article, the name and subdivision of the agency maintaining it, the title and business address of the person responsible therefor, the approximate number of data subjects and the categories of information collected, and sufficient information for the identification of rules promulgated by agencies pursuant to this article. Individuals shall be permitted to purchase the directory for a reasonable price as set by the committee in accordance with law.
(2) The committee may, upon request of a data subject eligible to make a request under section ninety-five of this article, investigate, make findings and furnish an advisory opinion in connection with the requirements of section ninety-five of this article. Prior to the issuance of an advisory opinion, the committee may require an agency to provide additional information which the committee deems necessary to render an opinion. However, no system of records exempt from the provisions of section ninety-five of this article shall be subject to the provisions of this subdivision.
(3) Within thirty business days of the receipt of a privacy impact statement or supplemental statement by an agency the committee shall review such statement to determine whether the maintenance of the system is within the lawful authority of the agency and to determine whether there have been established rules and procedures as required by section ninety-four of this article. However, such review by the committee shall not include examination of personal information or records collected or maintained by such agency. After review of such information the committee may notify the agency of the result of its review. Such notification and result shall not constitute an advisory opinion and shall not be reported as such by the committee and there shall be no obligation upon the agency to respond to such notification or result.
(4) The committee shall promulgate rules for the specification of the form of the privacy impact statement. Such privacy impact statement shall include the following:
(a) the name of the agency and the subdivision within the agency that will maintain the system of records, and the name or title of the system of records in which such information will be maintained;
(b) the title and business address of the official within the agency responsible for the system of records;
(c) where applicable, the procedures by which a data subject may gain access to personal information pertaining to such data subject in the system of records and the procedures by which a data subject may seek to amend or correct its contents;
(d) the categories and the approximate number of persons on whom records will be maintained in the system of records;
(e) the categories of information which will be collected and maintained in the system of records;
(f) the purposes for which each category of information within the system of records will be collected and maintained;
(g) the disclosures of personal information within the system of records that the agency will regularly make for each category of information, and the authority for such disclosures;
(h) the general or specific statutory authority for the collection, maintenance and disclosure of each category of information within the system of records;
(i) policies governing retention and timely disposal of information within the system of records in accordance with law;
(j) each and every source for each category of information within the system of records;
(k) a statement indicating whether the system of records will be maintained manually, by automated data system, or both.
(5) The committee shall report its activities and findings, including recommendations for changes in the law, to the governor and the legislature annually, on or before December fifteenth.
(6) In order to carry out the provisions of this article, the committee is authorized to:
(a) enter into contracts or other arrangements or modifications thereof, with any government, any governmental unit, or any department of the state, or with any individual, firm, association or corporation within the amounts appropriated therefor and subject to the audit and warrant of the state comptroller;
(b) delegate any of its functions to such officers and employees of the committee as the committee may designate;
(c) establish model guidelines with respect to the implementation of this article.
§ 94. Agency obligations.
(1) Each agency that maintains a system of records shall:
(a) except when a data subject provides an agency with unsolicited personal information, maintain in its records only such personal information which is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or executive order, or to implement a program specifically authorized by law;
(b) consistent with the standards of paragraph (a) of this subdivision, maintain all records used by the agency to make any determination about any data subject with accuracy, relevance, timeliness and completeness provided however, that personal information or records received by an agency from another governmental unit for inclusion in public safety agency records shall be presumed to be accurate;
(c) collect personal information directly from the data subject whenever practicable, except when collected for the purpose of making quasi-judicial determinations;
(d) provide each data subject whom it requests to supply information to be maintained in a record, at the time of the initial request, with notification as provided in this paragraph. Where such notification has been provided, subsequent requests for information from the data subject to be maintained in the same record need not be accompanied by notification unless the initial notification is not applicable to the subsequent request. Notification shall include:
(i) the name of the agency and any subdivision within the agency that is requesting the personal information and the name or title of the system of records in which such information will be maintained;
(ii) the title, business address and telephone number of the agency official who is responsible for the system of records;
(iii) the authority granted by law, which authorizes the collection and maintenance of the information;
(iv) the effects on such data subject, if any, of not providing all or any part of the requested information;
(v) the principal purpose or purposes for which the information is to be collected; and
(vi) the uses which may be made of the information pursuant to paragraphs (b), (e) and (f) of subdivision one of section ninety-six of this article;
(e) ensure that no record pertaining to a data subject shall be modified or destroyed to avoid the provisions of this article;
(f) cause the requirements of this article to be applied to any contract it executes for the operation of a system of records, or for research, evaluation or reporting, by the agency or on its behalf;
(g) establish written policies in accordance with law governing the responsibilities of persons pertaining to their involvement in the design, development, operation or maintenance of any system of records, and instruct each such person with respect to such policies and the requirements of this article, including any other rules and regulations and procedures adopted pursuant to this article, and the penalties for noncompliance;
(h) establish appropriate administrative, technical and physical safeguards to ensure the security of records;
(i) establish rules governing retention and timely disposal of records in accordance with law;
(j) designate an agency employee who shall be responsible for ensuring that the agency complies with all of the provisions of this article;
(k) whenever a data subject is entitled under this article to gain access to a record, disclose such record at a location near the residence of the data subject whenever reasonable, or by mail;
(l) upon denial of a request under subdivision one or two of section ninety-five of this article, inform the data subject of its procedures for review of initial determinations and the name and business address of the reviewing officials.
(2) In order to carry out the provisions of this article each agency that maintains a system of records shall promulgate rules which shall set forth the following:
(a) procedures by which a data subject can learn if a system of records contains any records pertaining to him or her;
(b) reasonable times, places and means for verifying the identity of a data subject who requests access to his or her record;
(c) procedures for providing access, upon the data subject`s request, to the data subject`s record;
(d) procedures for reviewing a request from a data subject for access to, and for correction or amendment of his or her record, for making a determination on such request, and for an appeal within the agency of an initial adverse agency determination.
(3) Each agency, for disclosures made pursuant to paragraphs (d), (i) and (l) of subdivision one of section ninety-six of this article, except for disclosures made for inclusion in public safety agency records when such record is requested for the purpose of obtaining information required for the investigation of a violation of civil or criminal statutes within the disclosing agency, shall:
(a) keep an accurate accounting of the date, nature and purpose of each disclosure of a record or personal information, and the name and address of the person or governmental unit to whom the disclosure is made;
(b) retain the accounting made under paragraph (a) of this subdivision as part of said record for at least five years after the disclosure for which the accounting is made, or for the life of the record disclosed, whichever is longer;
(c) at the request of the data subject, inform any person or other governmental unit to which a disclosure has been or is made of any correction, amendment, or notation of dispute made by the agency, provided that an accounting of the prior disclosure was made or that the data subject to whom the record pertains provides the name of such person or governmental unit;
(d) with respect to a disclosure made for inclusion in a public safety agency record or to a governmental unit or component thereof whose primary function is the enforcement of civil or criminal statutes, notify the receiving governmental unit that an accounting of such disclosure is being made pursuant to this subdivision and that such accounting will be accessible to the data subject upon his or her request unless otherwise specified by the receiving governmental unit pursuant to paragraph (e) of this subdivision;
(e) with respect to a disclosure made for inclusion in a public safety agency record or to a governmental unit or component thereof whose primary function is the enforcement of civil or criminal statutes, if in its request for the record the receiving governmental unit states that it has determined that access by the data subject to the accounting of such disclosure would impede criminal investigations and specifies the approximate date on which such determination will no longer be applicable, refuse the data subject access to such accounting or information that such accounting has been made, except upon court ordered subpoena, during the applicable time period. Upon the expiration of said time period the disclosing agency shall inquire of the receiving governmental unit as to the continued relevancy of the initial determination and, unless requested in writing by the receiving governmental unit to extend the determination for a specified period of time, shall make available to the data subject an accounting of said disclosure; and
(f) in making a disclosure pursuant to subdivision one of section ninety-six of this article, an agency shall make such disclosure pursuant to paragraph (d), (i) or (l) of said subdivision only when such disclosure cannot be made pursuant to any other paragraph of said subdivision.
(4)
(a) Any agency which established or substantially modified a system of records after December fifteenth, nineteen hundred eighty, but before the effective date of this article, or which did not report to the committee a system of records which it maintained prior to December fifteenth, nineteen hundred eighty, shall file notice with the committee pursuant to chapter six hundred seventy-seven of the laws of nineteen hundred eighty within thirty business days of the effective date of this article.
(b) Any agency which seeks to establish a system of records subsequent to the effective date of this article shall file with the committee a privacy impact statement as prescribed by subdivision four of section ninety-three of this article. Any agency which seeks to modify a system of records in a way which would render inaccurate any information set forth in the privacy impact statement, in the notice described in paragraph (a) of this subdivision or in the notice filed pursuant to chapter six hundred seventy-seven of the laws of nineteen hundred eighty, shall file with the committee a supplemental statement to conform the privacy impact statement or notice to the proposed modification. Unless the date by which such proposed system or modification is required by law to be instituted is less than thirty business days from the date of the filing of the privacy impact statement, no such proposed system or modification shall be instituted until the completion of the procedures set forth in subdivision three of section ninety-three of this article.
(5) Each agency shall, within fifteen business days of the receipt of an advisory opinion issued by the committee, respond in writing to the committee as to the following:
(a) the actions it has taken, or will take, to comply with the advisory opinion; or
(b) the reasons for disagreement and noncompliance with the advisory opinion.
(6) On or before the first day of September of each year, each agency shall submit a report covering the preceding year to the committee. The report shall include, with respect to requests for access to records and with respect to requests for correction or amendment of records pursuant to subdivisions one and two of section ninety-five of this article, respectively, the following information:
(i) the number of determinations made to grant such requests; and
(ii) the number of determinations made to deny such requests, in whole or in part, respectively.
(7) The provisions of paragraphs (c) and (d) of subdivision one of this section shall not apply to the following:
(a) personal information that is collected for inclusion in a public safety agency record;
(b) personal information that is maintained by a licensing or franchise-approving agency or component thereof for the purpose of determining whether administrative or criminal action should be taken to restrain or prosecute purported violations of law, or to grant, deny, suspend, or revoke a professional, vocational, or occupational license, certification or registration, or to deny or approve a franchise;
(c) personal information solicited from a data subject receiving services at a treatment facility, provided that each such data subject shall, as soon as practicable, be provided a notification including information specified in subparagraphs (i), (ii), (iii), (iv), (v) and (vi) of paragraph (d) of subdivision one of this section describing systems of records concerning the data subject maintained by the treatment facility.
(8) The provisions of subdivisions two, three and six of this section shall not apply to public safety agency records.
(9) Nothing in this article shall abrogate in any way any obligation regarding the maintenance of records otherwise imposed on an agency at law or in equity.
(10) Each agency record which is transferred to the state archives as a record which has sufficient historical or other value to warrant its continued preservation by the state shall, for the purposes of this article, be considered to be maintained by the state archives and shall be exempt from the requirements of this article, except as otherwise provided in this section and except that such record shall continue to be subject to inspection and correction by the data subject by application to the agency which compiled it, as provided in subdivisions one through four of section ninety-five of this chapter.
§ 95. Access to records.
(1)
(a) Each agency subject to the provisions of this article, within five business days of the receipt of a written request from a data subject for a record reasonably described pertaining to that data subject, shall make such record available to the data subject, deny such request in whole or in part and provide the reasons therefor in writing, or furnish a written acknowledgement of the receipt of such request and a statement of the approximate date when such request will be granted or denied, which date shall not exceed thirty days from the date of the acknowledgement.
(b) An agency shall not be required to provide a data subject with access to a record pursuant to this section if:
(i) the agency does not have the possession of such record;
(ii) such record cannot be retrieved by use of the data subject`s description thereof, or by use of the name or other identifier of the data subject, without extraordinary search methods being employed by the agency; or
(iii) access to such record is not required to be provided pursuant to subdivision five, six or seven of this section.
(c) Upon payment of, or offer to pay, the fee prescribed by section eighty-seven of this chapter, the agency shall provide a copy of the record requested and certify to the correctness of such copy if so requested. The record shall be made available in a printed form without any codes or symbols, unless accompanied by a document fully explaining such codes or symbols. Upon a data subject`s voluntary request the agency shall permit a person of the data subject`s choosing to accompany the data subject when reviewing and obtaining a copy of a record, provided that the agency may require the data subject to furnish a written statement authorizing discussion of the record in the accompanying person`s presence.
(2) Each agency shall, within thirty business days of receipt of a written request from a data subject for correction or amendment of a record or personal information, reasonably described, pertaining to that data subject, which he or she believes is not accurate, relevant, timely or complete, either:
(a) make the correction or amendment in whole or in part, and inform the data subject that upon his or her request such correction or amendment will be provided to any or all persons or governmental units to which the record or personal information has been or is disclosed, pursuant to paragraph (c) of subdivision three of section ninety-four of this article; or
(b) inform the data subject of its refusal to correct or amend the record and its reasons therefor.
(3) Any data subject whose request under subdivision one or two of this section is denied in whole or in part may, within thirty business days, appeal such denial in writing to the head, chief executive or governing body of the agency, or the person designated as the reviewing official by such head, chief executive or governing body. Such official shall within seven business days of the receipt of an appeal concerning denial of access, or within thirty business days of the receipt of an appeal concerning denial of correction or amendment, either provide access to or correction or amendment of the record sought and inform the data subject that, upon his or her request, such correction or amendment will be provided to any or all persons or governmental units to which the record or personal information has been or is disclosed, pursuant to paragraph (c) of subdivision three of section ninety-four of this article, or fully explain in writing to the data subject the factual and statutory reasons for further denial and inform the data subject of his or her right to thereupon seek judicial review of the agency`s determination under section ninety-seven of this article. Each agency shall immediately forward to the committee a copy of such appeal, the determination thereof and the reasons therefor.
(4) If correction or amendment of a record or personal information is denied in whole or in part upon appeal, the agency shall inform the data subject of the right to file with the agency a statement of reasonable length setting forth the reasons for disagreement with the agency`s determination and that, upon request, his or her statement of disagreement will be provided to any or all persons or governmental units to which the record has been or is disclosed, pursuant to paragraph (c) of subdivision three of section ninety-four of this article. With respect to any personal information about which a data subject has filed a statement of disagreement, the agency shall clearly note any portions of the record which are disputed, and shall attach the data subject`s statement of disagreement as part of the record. When providing the data subject`s statement of disagreement to other persons or governmental units pursuant to paragraph (c) of subdivision three of section ninety-four of this article, the agency may, if it deems appropriate, also include in the record a concise statement of the agency`s reasons for not making the requested amendment.
(5)
(a) Any agency which may not otherwise exempt personal information from the operation of this section may do so, unless access by the data subject is otherwise authorized or required by law, if such information is compiled for law enforcement purposes and would, if disclosed:
(i) interfere with law enforcement investigations or judicial proceedings;
(ii) deprive a person of a right to a fair trial or impartial adjudication;
(iii) identify a confidential source or disclose confidential information relating to a criminal investigation; or
(iv) reveal criminal investigative techniques or procedures, except routine techniques and procedures.
(b) When providing the data subject with access to information described in paragraph (b) of subdivision seven of section ninety-four of this article, an agency may withhold the identity of a source who furnished said information under an express promise that his or her identity would be held in confidence.
(6) Nothing in this section shall require an agency to provide a data subject with access to:
(a) personal information to which he or she is specifically prohibited by statute from gaining access;
(b) patient records concerning mental disability or medical records where such access is not otherwise required by law;
(c) personal information pertaining to the incarceration of an inmate at a state correctional facility which is evaluative in nature or which, if such access was provided, could endanger the life or safety of any person, unless such access is otherwise permitted by law or by court order;
(d) attorney`s work product or material prepared for litigation before judicial, quasi-judicial or administrative tribunals, as described in subdivisions (c) and (d) of section three thousand one hundred one of the civil practice law and rules, except pursuant to statute, subpoena issued in the course of a criminal action or proceeding, court ordered or grand jury subpoena, search warrant or other court ordered disclosure.
(7) This section shall not apply to public safety agency records.
(8) Nothing in this section shall limit, restrict, abrogate or deny any right a person may otherwise have including rights granted pursuant to the state or federal constitution, law or court order.
§ 96. Disclosure of records.
(1) No agency may disclose any record or personal information unless such disclosure is:
(a) pursuant to a written request by or the voluntary written consent of the data subject, provided that such request or consent by its terms limits and specifically describes:
(i) the personal information which is requested to be disclosed;
(ii) the person or entity to whom such personal information is requested to be disclosed; and
(iii) the uses which will be made of such personal information by the person or entity receiving it; or
(b) to those officers and employees of, and to those who contract with, the agency that maintains the record if such disclosure is necessary to the performance of their official duties pursuant to a purpose of the agency required to be accomplished by statute or executive order or necessary to operate a program specifically authorized by law; or
(c) subject to disclosure under article six of this chapter, unless disclosure of such information would constitute an unwarranted invasion of personal privacy as defined in paragraph (a) of subdivision two of section eighty-nine of this chapter; or
(d) to officers or employees of another governmental unit if each category of information sought to be disclosed is necessary for the receiving governmental unit to operate a program specifically authorized by statute and if the use for which the information is requested is not relevant to the purpose for which it was collected; or
(e) for a routine use, as defined in subdivision ten of section ninety-two of this article; or
(f) specifically authorized by statute or federal rule or regulation; or
(g) to the bureau of the census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of Title XIII of the United States Code; or
(h) to a person who has provided the agency with advance written assurance that the record will be used solely for the purpose of statistical research or reporting, but only if it is to be transferred in a form that does not reveal the identity of any data subject; or
(i) pursuant to a showing of compelling circumstances affecting the health or safety of a data subject, if upon such disclosure notification is transmitted to the data subject at his or her last known address; or
(j) to the state archives as a record which has sufficient historical or other value to warrant its continued preservation by the state or for evaluation by the state archivist or his or her designee to determine whether the record has such value; or
(k) to any person pursuant to a court ordered subpoena or other compulsory legal process; or
(l) for inclusion in a public safety agency record or to any governmental unit or component thereof which performs as one of its principal functions any activity pertaining to the enforcement of criminal laws, provided that, such record is reasonably described and is requested solely for a law enforcement function; or
(m) pursuant to a search warrant; or
(n) to officers or employees of another agency if the record sought to be disclosed is necessary for the receiving agency to comply with the mandate of an executive order, but only if such records are to be used only for statistical research, evaluation or reporting and are not used in making any determination about a data subject.
(2) Nothing in this section shall require disclosure of:
(a) personal information which is otherwise prohibited by law from being disclosed;
(b) patient records concerning mental disability or medical records where such disclosure is not otherwise required by law;
(c) personal information pertaining to the incarceration of an inmate at a state correctional facility which is evaluative in nature or which, if disclosed, could endanger the life or safety of any person, unless such disclosure is otherwise permitted by law;
(d) attorney`s work product or material prepared for litigation before judicial, quasi-judicial or administrative tribunals, as described in subdivisions (c) and (d) of section three thousand one hundred one of the civil practice law and rules, except pursuant to statute, subpoena issued in the course of a criminal action or proceeding, court ordered or grand jury subpoena, search warrant or other court ordered disclosure.
§ 97. Civil remedies.
(1) Any data subject aggrieved by any action taken under this article may seek judicial review and relief pursuant to article seventy-eight of the civil practice law and rules.
(2) In any proceeding brought under subdivision one of this section, the party defending the action shall bear the burden of proof, and the court may, if the data subject substantially prevails against any agency and if the agency lacked a reasonable basis pursuant to this article for the challenged action, award to the data subject reasonable attorneys` fees and disbursements reasonably incurred.
(3) Nothing in this article shall be construed to limit or abridge the right of any person to obtain judicial review or pecuniary or other relief, in any other form or upon any other basis, otherwise available to a person aggrieved by any agency action under this article.
§ 98. No waiver. Any agreement purporting to waive a data subject`s rights under this article is hereby declared to be void as against public policy.
§ 99. Executive authority. Nothing in this article shall limit the authority of the governor to exercise his or her responsibilities.
