Legislation
SECTION 93
Powers and duties of the committee
Public Officers (PBO) CHAPTER 47, ARTICLE 6-A
§ 93. Powers and duties of the committee. (1) The committee shall
prepare a directory derived from the information provided pursuant to
section three of chapter six hundred seventy-seven of the laws of
nineteen hundred eighty and subdivision four of section ninety-four of
this article. The directory shall include the name of each system of
records subject to the provisions of this article, the name and
subdivision of the agency maintaining it, the title and business address
of the person responsible therefor, the approximate number of data
subjects and the categories of information collected, and sufficient
information for the identification of rules promulgated by agencies
pursuant to this article. Individuals shall be permitted to purchase the
directory for a reasonable price as set by the committee in accordance
with law.
(2) The committee may, upon request of a data subject eligible to make
a request under section ninety-five of this article, investigate, make
findings and furnish an advisory opinion in connection with the
requirements of section ninety-five of this article. Prior to the
issuance of an advisory opinion, the committee may require an agency to
provide additional information which the committee deems necessary to
render an opinion. However, no system of records exempt from the
provisons of section ninety-five of this article shall be subject to the
provisions of this subdivision.
(3) Within thirty business days of the receipt of a privacy impact
statement or supplemental statement by an agency the committee shall
review such statement to determine whether the maintenance of the system
is within the lawful authority of the agency and to determine whether
there have been established rules and procedures as required by section
ninety-four of this article. However, such review by the committee shall
not include examination of personal information or records collected or
maintained by such agency. After review of such information the
committee may notify the agency of the result of its review. Such
notification and result shall not constitute an advisory opinion and
shall not be reported as such by the committee and there shall be no
obligation upon the agency to respond to such notification or result.
(4) The committee shall promulgate rules for the specification of the
form of the privacy impact statement. Such privacy impact statement
shall include the following:
(a) the name of the agency and the subdivision within the agency that
will maintain the system of records, and the name or title of the system
of records in which such information will be maintained;
(b) the title and business address of the official within the agency
responsible for the system of records;
(c) where applicable, the procedures by which a data subject may gain
access to personal information pertaining to such data subject in the
system of records and the procedures by which a data subject may seek to
amend or correct its contents;
(d) the categories and the approximate number of persons on whom
records will be maintained in the system of records;
(e) the categories of information which will be collected and
maintained in the system of records;
(f) the purposes for which each category of information within the
system of records will be collected and maintained;
(g) the disclosures of personal information within the system of
records that the agency will regularly make for each category of
information, and the authority for such disclosures;
(h) the general or specific statutory authority for the collection,
maintenance and disclosure of each category of information within the
system of records;
(i) policies governing retention and timely disposal of information
within the system of records in accordance with law;
(j) each and every source for each category of information within the
system of records;
(k) a statement indicating whether the system of records will be
maintained manually, by automated data system, or both.
(5) The committee shall report its activities and findings, including
recommendations for changes in the law, to the governor and the
legislature annually, on or before December fifteenth.
(6) In order to carry out the provisions of this article, the
committee is authorized to:
(a) enter into contracts or other arrangements or modifications
thereof, with any government, any governmental unit, or any department
of the state, or with any individual, firm, association or corporation
within the amounts appropriated therefor and subject to the audit and
warrant of the state comptroller;
(b) delegate any of its functions to such officers and employees of
the committee as the committee may designate;
(c) establish model guidelines with respect to the implementation of
this article.
prepare a directory derived from the information provided pursuant to
section three of chapter six hundred seventy-seven of the laws of
nineteen hundred eighty and subdivision four of section ninety-four of
this article. The directory shall include the name of each system of
records subject to the provisions of this article, the name and
subdivision of the agency maintaining it, the title and business address
of the person responsible therefor, the approximate number of data
subjects and the categories of information collected, and sufficient
information for the identification of rules promulgated by agencies
pursuant to this article. Individuals shall be permitted to purchase the
directory for a reasonable price as set by the committee in accordance
with law.
(2) The committee may, upon request of a data subject eligible to make
a request under section ninety-five of this article, investigate, make
findings and furnish an advisory opinion in connection with the
requirements of section ninety-five of this article. Prior to the
issuance of an advisory opinion, the committee may require an agency to
provide additional information which the committee deems necessary to
render an opinion. However, no system of records exempt from the
provisons of section ninety-five of this article shall be subject to the
provisions of this subdivision.
(3) Within thirty business days of the receipt of a privacy impact
statement or supplemental statement by an agency the committee shall
review such statement to determine whether the maintenance of the system
is within the lawful authority of the agency and to determine whether
there have been established rules and procedures as required by section
ninety-four of this article. However, such review by the committee shall
not include examination of personal information or records collected or
maintained by such agency. After review of such information the
committee may notify the agency of the result of its review. Such
notification and result shall not constitute an advisory opinion and
shall not be reported as such by the committee and there shall be no
obligation upon the agency to respond to such notification or result.
(4) The committee shall promulgate rules for the specification of the
form of the privacy impact statement. Such privacy impact statement
shall include the following:
(a) the name of the agency and the subdivision within the agency that
will maintain the system of records, and the name or title of the system
of records in which such information will be maintained;
(b) the title and business address of the official within the agency
responsible for the system of records;
(c) where applicable, the procedures by which a data subject may gain
access to personal information pertaining to such data subject in the
system of records and the procedures by which a data subject may seek to
amend or correct its contents;
(d) the categories and the approximate number of persons on whom
records will be maintained in the system of records;
(e) the categories of information which will be collected and
maintained in the system of records;
(f) the purposes for which each category of information within the
system of records will be collected and maintained;
(g) the disclosures of personal information within the system of
records that the agency will regularly make for each category of
information, and the authority for such disclosures;
(h) the general or specific statutory authority for the collection,
maintenance and disclosure of each category of information within the
system of records;
(i) policies governing retention and timely disposal of information
within the system of records in accordance with law;
(j) each and every source for each category of information within the
system of records;
(k) a statement indicating whether the system of records will be
maintained manually, by automated data system, or both.
(5) The committee shall report its activities and findings, including
recommendations for changes in the law, to the governor and the
legislature annually, on or before December fifteenth.
(6) In order to carry out the provisions of this article, the
committee is authorized to:
(a) enter into contracts or other arrangements or modifications
thereof, with any government, any governmental unit, or any department
of the state, or with any individual, firm, association or corporation
within the amounts appropriated therefor and subject to the audit and
warrant of the state comptroller;
(b) delegate any of its functions to such officers and employees of
the committee as the committee may designate;
(c) establish model guidelines with respect to the implementation of
this article.