93. Powers and duties of the committee. (1) The committee shall prepare a directory derived from the information provided pursuant to section three of chapter six hundred seventy-seven of the laws of nineteen hundred eighty and subdivision four of section ninety-four of this article. The directory shall include the name of each system of records subject to the provisions of this article, the name and subdivision of the agency maintaining it, the title and business address of the person responsible therefor, the approximate number of data subjects and the categories of information collected, and sufficient information for the identification of rules promulgated by agencies pursuant to this article. Individuals shall be permitted to purchase the directory for a reasonable price as set by the committee in accordance with law.
(2) The committee may, upon request of a data subject eligible to make a request under section ninety-five of this article, investigate, make findings and furnish an advisory opinion in connection with the requirements of section ninety-five of this article. Prior to the issuance of an advisory opinion, the committee may require an agency to provide additional information which the committee deems necessary to render an opinion. However, no system of records exempt from the provisons of section ninety-five of this article shall be subject to the provisions of this subdivision.
(3) Within thirty business days of the receipt of a privacy impact statement or supplemental statement by an agency the committee shall review such statement to determine whether the maintenance of the system is within the lawful authority of the agency and to determine whether there have been established rules and procedures as required by section ninety-four of this article. However, such review by the committee shall not include examination of personal information or records collected or maintained by such agency. After review of such information the committee may notify the agency of the result of its review. Such notification and result shall not constitute an advisory opinion and shall not be reported as such by the committee and there shall be no obligation upon the agency to respond to such notification or result.
(4) The committee shall promulgate rules for the specification of the form of the privacy impact statement. Such privacy impact statement shall include the following:
(a) the name of the agency and the subdivision within the agency that will maintain the system of records, and the name or title of the system of records in which such information will be maintained;
(b) the title and business address of the official within the agency responsible for the system of records;
(c) where applicable, the procedures by which a data subject may gain access to personal information pertaining to such data subject in the system of records and the procedures by which a data subject may seek to amend or correct its contents;
(d) the categories and the approximate number of persons on whom records will be maintained in the system of records;
(e) the categories of information which will be collected and maintained in the system of records;
(f) the purposes for which each category of information within the system of records will be collected and maintained;
(g) the disclosures of personal information within the system of records that the agency will regularly make for each category of information, and the authority for such disclosures;
(h) the general or specific statutory authority for the collection, maintenance and disclosure of each category of information within the system of records;
(i) policies governing retention and timely disposal of information within the system of records in accordance with law;
(j) each and every source for each category of information within the system of records;
(k) a statement indicating whether the system of records will be maintained manually, by automated data system, or both.
(5) The committee shall report its activities and findings, including recommendations for changes in the law, to the governor and the legislature annually, on or before December fifteenth.
(6) In order to carry out the provisions of this article, the committee is authorized to:
(a) enter into contracts or other arrangements or modifications thereof, with any government, any governmental unit, or any department of the state, or with any individual, firm, association or corporation within the amounts appropriated therefor and subject to the audit and warrant of the state comptroller;
(b) delegate any of its functions to such officers and employees of the committee as the committee may designate;
(c) establish model guidelines with respect to the implementation of this article.
Last modified: February 3, 2019