Legislation
SECTION 94
Agency obligations
Public Officers (PBO) CHAPTER 47, ARTICLE 6-A
§ 94. Agency obligations. (1) Each agency that maintains a system of
records shall:
(a) except when a data subject provides an agency with unsolicited
personal information, maintain in its records only such personal
information which is relevant and necessary to accomplish a purpose of
the agency required to be accomplished by statute or executive order, or
to implement a program specifically authorized by law;
(b) consistent with the standards of paragraph (a) of this
subdivision, maintain all records used by the agency to make any
determination about any data subject with accuracy, relevance,
timeliness and completeness provided however, that personal information
or records received by an agency from another governmental unit for
inclusion in public safety agency records shall be presumed to be
accurate;
(c) collect personal information directly from the data subject
whenever practicable, except when collected for the purpose of making
quasi-judicial determinations;
(d) provide each data subject whom it requests to supply information
to be maintained in a record, at the time of the initial request, with
notification as provided in this paragraph. Where such notification has
been provided, subsequent requests for information from the data subject
to be maintained in the same record need not be accompanied by
notification unless the initial notification is not applicable to the
subsequent request. Notification shall include:
(i) the name of the agency and any subdivision within the agency that
is requesting the personal information and the name or title of the
system of records in which such information will be maintained;
(ii) the title, business address and telephone number of the agency
official who is responsible for the system of records;
(iii) the authority granted by law, which authorizes the collection
and maintenance of the information;
(iv) the effects on such data subject, if any, of not providing all or
any part of the requested information;
(v) the principal purpose or purposes for which the information is to
be collected; and
(vi) the uses which may be made of the information pursuant to
paragraphs (b), (e) and (f) of subdivision one of section ninety-six of
this article;
(e) ensure that no record pertaining to a data subject shall be
modified or destroyed to avoid the provisions of this article;
(f) cause the requirements of this article to be applied to any
contract it executes for the operation of a system of records, or for
research, evaluation or reporting, by the agency or on its behalf;
(g) establish written policies in accordance with law governing the
responsibilities of persons pertaining to their involvement in the
design, development, operation or maintenance of any system of records,
and instruct each such person with respect to such policies and the
requirements of this article, including any other rules and regulations
and procedures adopted pursuant to this article, and the penalties for
noncompliance;
(h) establish appropriate administrative, technical and physical
safeguards to ensure the security of records;
(i) establish rules governing retention and timely disposal of records
in accordance with law;
(j) designate an agency employee who shall be responsible for ensuring
that the agency complies with all of the provisions of this article;
(k) whenever a data subject is entitled under this article to gain
access to a record, disclose such record at a location near the
residence of the data subject whenever reasonable, or by mail;
(l) upon denial of a request under subdivision one or two of section
ninety-five of this article, inform the data subject of its procedures
for review of initial determinations and the name and business address
of the reviewing officials.
(2) In order to carry out the provisions of this article each agency
that maintains a system of records shall promulgate rules which shall
set forth the following:
(a) procedures by which a data subject can learn if a system of
records contains any records pertaining to him or her;
(b) reasonable times, places and means for verifying the identity of a
data subject who requests access to his or her record;
(c) procedures for providing access, upon the data subject's request,
to the data subject's record;
(d) procedures for reviewing a request from a data subject for access
to, and for correction or amendment of his or her record, for making a
determination on such request, and for an appeal within the agency of an
initial adverse agency determination.
(3) Each agency, for disclosures made pursuant to paragraphs (d), (i)
and (l) of subdivision one of section ninety-six of this article, except
for disclosures made for inclusion in public safety agency records when
such record is requested for the purpose of obtaining information
required for the investigation of a violation of civil or criminal
statutes within the disclosing agency, shall:
(a) keep an accurate accounting of the date, nature and purpose of
each disclosure of a record or personal information, and the name and
address of the person or governmental unit to whom the disclosure is
made;
(b) retain the accounting made under paragraph (a) of this subdivision
as part of said record for at least five years after the disclosure for
which the accounting is made, or for the life of the record disclosed,
whichever is longer;
(c) at the request of the data subject, inform any person or other
governmental unit to which a disclosure has been or is made of any
correction, amendment, or notation of dispute made by the agency,
provided that an accounting of the prior disclosure was made or that the
data subject to whom the record pertains provides the name of such
person or governmental unit;
(d) with respect to a disclosure made for inclusion in a public safety
agency record or to a governmental unit or component thereof whose
primary function is the enforcement of civil or criminal statutes,
notify the receiving governmental unit that an accounting of such
disclosure is being made pursuant to this subdivision and that such
accounting will be accessible to the data subject upon his or her
request unless otherwise specified by the receiving governmental unit
pursuant to paragraph (e) of this subdivision;
(e) with respect to a disclosure made for inclusion in a public safety
agency record or to a governmental unit or component thereof whose
primary function is the enforcement of civil or criminal statutes, if in
its request for the record the receiving governmental unit states that
it has determined that access by the data subject to the accounting of
such disclosure would impede criminal investigations and specifies the
approximate date on which such determination will no longer be
applicable, refuse the data subject access to such accounting or
information that such accounting has been made, except upon court
ordered subpoena, during the applicable time period. Upon the expiration
of said time period the disclosing agency shall inquire of the receiving
governmental unit as to the continued relevancy of the initial
determination and, unless requested in writing by the receiving
governmental unit to extend the determination for a specified period of
time, shall make available to the data subject an accounting of said
disclosure; and
(f) in making a disclosure pursuant to subdivision one of section
ninety-six of this article, an agency shall make such disclosure
pursuant to paragraph (d), (i) or (l) of said subdivision only when such
disclosure cannot be made pursuant to any other paragraph of said
subdivision.
(4) (a) Any agency which established or substantially modified a
system of records after December fifteenth, nineteen hundred eighty, but
before the effective date of this article, or which did not report to
the committee a system of records which it maintained prior to December
fifteenth, nineteen hundred eighty, shall file notice with the committee
pursuant to chapter six hundred seventy-seven of the laws of nineteen
hundred eighty within thirty business days of the effective date of this
article.
(b) Any agency which seeks to establish a system of records subsequent
to the effective date of this article shall file with the committee a
privacy impact statement as prescribed by subdivision four of section
ninety-three of this article. Any agency which seeks to modify a system
of records in a way which would render inaccurate any information set
forth in the privacy impact statement, in the notice described in
paragraph (a) of this subdivision or in the notice filed pursuant to
chapter six hundred seventy-seven of the laws of nineteen hundred
eighty, shall file with the committee a supplemental statement to
conform the privacy impact statement or notice to the proposed
modification. Unless the date by which such proposed system or
modification is required by law to be instituted is less than thirty
business days from the date of the filing of the privacy impact
statement, no such proposed system or modification shall be instituted
until the completion of the procedures set forth in subdivision three of
section ninety-three of this article.
(5) Each agency shall, within fifteen business days of the receipt of
an advisory opinion issued by the committee, respond in writing to the
committee as to the following:
(a) the actions it has taken, or will take, to comply with the
advisory opinion; or
(b) the reasons for disagreement and noncompliance with the advisory
opinion.
(6) On or before the first day of September of each year, each agency
shall submit a report covering the preceding year to the committee. The
report shall include, with respect to requests for access to records and
with respect to requests for correction or amendment of records pursuant
to subdivisions one and two of section ninety-five of this article,
respectively, the following information:
(i) the number of determinations made to grant such requests; and
(ii) the number of determinations made to deny such requests, in whole
or in part, respectively.
(7) The provisions of paragraphs (c) and (d) of subdivision one of
this section shall not apply to the following:
(a) personal information that is collected for inclusion in a public
safety agency record;
(b) personal information that is maintained by a licensing or
franchise-approving agency or component thereof for the purpose of
determining whether administrative or criminal action should be taken to
restrain or prosecute purported violations of law, or to grant, deny,
suspend, or revoke a professional, vocational, or occupational license,
certification or registration, or to deny or approve a franchise;
(c) personal information solicited from a data subject receiving
services at a treatment facility, provided that each such data subject
shall, as soon as practicable, be provided a notification including
information specified in subparagraphs (i), (ii), (iii), (iv), (v) and
(vi) of paragraph (d) of subdivision one of this section describing
systems of records concerning the data subject maintained by the
treatment facility.
(8) The provisions of subdivisions two, three and six of this section
shall not apply to public safety agency records.
(9) Nothing in this article shall abrogate in any way any obligation
regarding the maintenance of records otherwise imposed on an agency at
law or in equity.
(10) Each agency record which is transferred to the state archives as
a record which has sufficient historical or other value to warrant its
continued preservation by the state shall, for the purposes of this
article, be considered to be maintained by the state archives and shall
be exempt from the requirements of this article, except as otherwise
provided in this section and except that such record shall continue to
be subject to inspection and correction by the data subject by
application to the agency which compiled it, as provided in subdivisions
one through four of section ninety-five of this chapter.
records shall:
(a) except when a data subject provides an agency with unsolicited
personal information, maintain in its records only such personal
information which is relevant and necessary to accomplish a purpose of
the agency required to be accomplished by statute or executive order, or
to implement a program specifically authorized by law;
(b) consistent with the standards of paragraph (a) of this
subdivision, maintain all records used by the agency to make any
determination about any data subject with accuracy, relevance,
timeliness and completeness provided however, that personal information
or records received by an agency from another governmental unit for
inclusion in public safety agency records shall be presumed to be
accurate;
(c) collect personal information directly from the data subject
whenever practicable, except when collected for the purpose of making
quasi-judicial determinations;
(d) provide each data subject whom it requests to supply information
to be maintained in a record, at the time of the initial request, with
notification as provided in this paragraph. Where such notification has
been provided, subsequent requests for information from the data subject
to be maintained in the same record need not be accompanied by
notification unless the initial notification is not applicable to the
subsequent request. Notification shall include:
(i) the name of the agency and any subdivision within the agency that
is requesting the personal information and the name or title of the
system of records in which such information will be maintained;
(ii) the title, business address and telephone number of the agency
official who is responsible for the system of records;
(iii) the authority granted by law, which authorizes the collection
and maintenance of the information;
(iv) the effects on such data subject, if any, of not providing all or
any part of the requested information;
(v) the principal purpose or purposes for which the information is to
be collected; and
(vi) the uses which may be made of the information pursuant to
paragraphs (b), (e) and (f) of subdivision one of section ninety-six of
this article;
(e) ensure that no record pertaining to a data subject shall be
modified or destroyed to avoid the provisions of this article;
(f) cause the requirements of this article to be applied to any
contract it executes for the operation of a system of records, or for
research, evaluation or reporting, by the agency or on its behalf;
(g) establish written policies in accordance with law governing the
responsibilities of persons pertaining to their involvement in the
design, development, operation or maintenance of any system of records,
and instruct each such person with respect to such policies and the
requirements of this article, including any other rules and regulations
and procedures adopted pursuant to this article, and the penalties for
noncompliance;
(h) establish appropriate administrative, technical and physical
safeguards to ensure the security of records;
(i) establish rules governing retention and timely disposal of records
in accordance with law;
(j) designate an agency employee who shall be responsible for ensuring
that the agency complies with all of the provisions of this article;
(k) whenever a data subject is entitled under this article to gain
access to a record, disclose such record at a location near the
residence of the data subject whenever reasonable, or by mail;
(l) upon denial of a request under subdivision one or two of section
ninety-five of this article, inform the data subject of its procedures
for review of initial determinations and the name and business address
of the reviewing officials.
(2) In order to carry out the provisions of this article each agency
that maintains a system of records shall promulgate rules which shall
set forth the following:
(a) procedures by which a data subject can learn if a system of
records contains any records pertaining to him or her;
(b) reasonable times, places and means for verifying the identity of a
data subject who requests access to his or her record;
(c) procedures for providing access, upon the data subject's request,
to the data subject's record;
(d) procedures for reviewing a request from a data subject for access
to, and for correction or amendment of his or her record, for making a
determination on such request, and for an appeal within the agency of an
initial adverse agency determination.
(3) Each agency, for disclosures made pursuant to paragraphs (d), (i)
and (l) of subdivision one of section ninety-six of this article, except
for disclosures made for inclusion in public safety agency records when
such record is requested for the purpose of obtaining information
required for the investigation of a violation of civil or criminal
statutes within the disclosing agency, shall:
(a) keep an accurate accounting of the date, nature and purpose of
each disclosure of a record or personal information, and the name and
address of the person or governmental unit to whom the disclosure is
made;
(b) retain the accounting made under paragraph (a) of this subdivision
as part of said record for at least five years after the disclosure for
which the accounting is made, or for the life of the record disclosed,
whichever is longer;
(c) at the request of the data subject, inform any person or other
governmental unit to which a disclosure has been or is made of any
correction, amendment, or notation of dispute made by the agency,
provided that an accounting of the prior disclosure was made or that the
data subject to whom the record pertains provides the name of such
person or governmental unit;
(d) with respect to a disclosure made for inclusion in a public safety
agency record or to a governmental unit or component thereof whose
primary function is the enforcement of civil or criminal statutes,
notify the receiving governmental unit that an accounting of such
disclosure is being made pursuant to this subdivision and that such
accounting will be accessible to the data subject upon his or her
request unless otherwise specified by the receiving governmental unit
pursuant to paragraph (e) of this subdivision;
(e) with respect to a disclosure made for inclusion in a public safety
agency record or to a governmental unit or component thereof whose
primary function is the enforcement of civil or criminal statutes, if in
its request for the record the receiving governmental unit states that
it has determined that access by the data subject to the accounting of
such disclosure would impede criminal investigations and specifies the
approximate date on which such determination will no longer be
applicable, refuse the data subject access to such accounting or
information that such accounting has been made, except upon court
ordered subpoena, during the applicable time period. Upon the expiration
of said time period the disclosing agency shall inquire of the receiving
governmental unit as to the continued relevancy of the initial
determination and, unless requested in writing by the receiving
governmental unit to extend the determination for a specified period of
time, shall make available to the data subject an accounting of said
disclosure; and
(f) in making a disclosure pursuant to subdivision one of section
ninety-six of this article, an agency shall make such disclosure
pursuant to paragraph (d), (i) or (l) of said subdivision only when such
disclosure cannot be made pursuant to any other paragraph of said
subdivision.
(4) (a) Any agency which established or substantially modified a
system of records after December fifteenth, nineteen hundred eighty, but
before the effective date of this article, or which did not report to
the committee a system of records which it maintained prior to December
fifteenth, nineteen hundred eighty, shall file notice with the committee
pursuant to chapter six hundred seventy-seven of the laws of nineteen
hundred eighty within thirty business days of the effective date of this
article.
(b) Any agency which seeks to establish a system of records subsequent
to the effective date of this article shall file with the committee a
privacy impact statement as prescribed by subdivision four of section
ninety-three of this article. Any agency which seeks to modify a system
of records in a way which would render inaccurate any information set
forth in the privacy impact statement, in the notice described in
paragraph (a) of this subdivision or in the notice filed pursuant to
chapter six hundred seventy-seven of the laws of nineteen hundred
eighty, shall file with the committee a supplemental statement to
conform the privacy impact statement or notice to the proposed
modification. Unless the date by which such proposed system or
modification is required by law to be instituted is less than thirty
business days from the date of the filing of the privacy impact
statement, no such proposed system or modification shall be instituted
until the completion of the procedures set forth in subdivision three of
section ninety-three of this article.
(5) Each agency shall, within fifteen business days of the receipt of
an advisory opinion issued by the committee, respond in writing to the
committee as to the following:
(a) the actions it has taken, or will take, to comply with the
advisory opinion; or
(b) the reasons for disagreement and noncompliance with the advisory
opinion.
(6) On or before the first day of September of each year, each agency
shall submit a report covering the preceding year to the committee. The
report shall include, with respect to requests for access to records and
with respect to requests for correction or amendment of records pursuant
to subdivisions one and two of section ninety-five of this article,
respectively, the following information:
(i) the number of determinations made to grant such requests; and
(ii) the number of determinations made to deny such requests, in whole
or in part, respectively.
(7) The provisions of paragraphs (c) and (d) of subdivision one of
this section shall not apply to the following:
(a) personal information that is collected for inclusion in a public
safety agency record;
(b) personal information that is maintained by a licensing or
franchise-approving agency or component thereof for the purpose of
determining whether administrative or criminal action should be taken to
restrain or prosecute purported violations of law, or to grant, deny,
suspend, or revoke a professional, vocational, or occupational license,
certification or registration, or to deny or approve a franchise;
(c) personal information solicited from a data subject receiving
services at a treatment facility, provided that each such data subject
shall, as soon as practicable, be provided a notification including
information specified in subparagraphs (i), (ii), (iii), (iv), (v) and
(vi) of paragraph (d) of subdivision one of this section describing
systems of records concerning the data subject maintained by the
treatment facility.
(8) The provisions of subdivisions two, three and six of this section
shall not apply to public safety agency records.
(9) Nothing in this article shall abrogate in any way any obligation
regarding the maintenance of records otherwise imposed on an agency at
law or in equity.
(10) Each agency record which is transferred to the state archives as
a record which has sufficient historical or other value to warrant its
continued preservation by the state shall, for the purposes of this
article, be considered to be maintained by the state archives and shall
be exempt from the requirements of this article, except as otherwise
provided in this section and except that such record shall continue to
be subject to inspection and correction by the data subject by
application to the agency which compiled it, as provided in subdivisions
one through four of section ninety-five of this chapter.