94. Agency obligations. (1) Each agency that maintains a system of records shall:
(a) except when a data subject provides an agency with unsolicited personal information, maintain in its records only such personal information which is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or executive order, or to implement a program specifically authorized by law;
(b) consistent with the standards of paragraph (a) of this subdivision, maintain all records used by the agency to make any determination about any data subject with accuracy, relevance, timeliness and completeness provided however, that personal information or records received by an agency from another governmental unit for inclusion in public safety agency records shall be presumed to be accurate;
(c) collect personal information directly from the data subject whenever practicable, except when collected for the purpose of making quasi-judicial determinations;
(d) provide each data subject whom it requests to supply information to be maintained in a record, at the time of the initial request, with notification as provided in this paragraph. Where such notification has been provided, subsequent requests for information from the data subject to be maintained in the same record need not be accompanied by notification unless the initial notification is not applicable to the subsequent request. Notification shall include:
(i) the name of the agency and any subdivision within the agency that is requesting the personal information and the name or title of the system of records in which such information will be maintained;
(ii) the title, business address and telephone number of the agency official who is responsible for the system of records;
(iii) the authority granted by law, which authorizes the collection and maintenance of the information;
(iv) the effects on such data subject, if any, of not providing all or any part of the requested information;
(v) the principal purpose or purposes for which the information is to be collected; and
(vi) the uses which may be made of the information pursuant to paragraphs (b), (e) and (f) of subdivision one of section ninety-six of this article;
(e) ensure that no record pertaining to a data subject shall be modified or destroyed to avoid the provisions of this article;
(f) cause the requirements of this article to be applied to any contract it executes for the operation of a system of records, or for research, evaluation or reporting, by the agency or on its behalf;
(g) establish written policies in accordance with law governing the responsibilities of persons pertaining to their involvement in the design, development, operation or maintenance of any system of records, and instruct each such person with respect to such policies and the requirements of this article, including any other rules and regulations and procedures adopted pursuant to this article, and the penalties for noncompliance;
(h) establish appropriate administrative, technical and physical safeguards to ensure the security of records;
(i) establish rules governing retention and timely disposal of records in accordance with law;
(j) designate an agency employee who shall be responsible for ensuring that the agency complies with all of the provisions of this article;
(k) whenever a data subject is entitled under this article to gain access to a record, disclose such record at a location near the residence of the data subject whenever reasonable, or by mail;
(l) upon denial of a request under subdivision one or two of section ninety-five of this article, inform the data subject of its procedures for review of initial determinations and the name and business address of the reviewing officials.
(2) In order to carry out the provisions of this article each agency that maintains a system of records shall promulgate rules which shall set forth the following:
(a) procedures by which a data subject can learn if a system of records contains any records pertaining to him or her;
(b) reasonable times, places and means for verifying the identity of a data subject who requests access to his or her record;
(c) procedures for providing access, upon the data subject's request, to the data subject's record;
(d) procedures for reviewing a request from a data subject for access to, and for correction or amendment of his or her record, for making a determination on such request, and for an appeal within the agency of an initial adverse agency determination.
(3) Each agency, for disclosures made pursuant to paragraphs (d), (i) and (l) of subdivision one of section ninety-six of this article, except for disclosures made for inclusion in public safety agency records when such record is requested for the purpose of obtaining information required for the investigation of a violation of civil or criminal statutes within the disclosing agency, shall:
(a) keep an accurate accounting of the date, nature and purpose of each disclosure of a record or personal information, and the name and address of the person or governmental unit to whom the disclosure is made;
(b) retain the accounting made under paragraph (a) of this subdivision as part of said record for at least five years after the disclosure for which the accounting is made, or for the life of the record disclosed, whichever is longer;
(c) at the request of the data subject, inform any person or other governmental unit to which a disclosure has been or is made of any correction, amendment, or notation of dispute made by the agency, provided that an accounting of the prior disclosure was made or that the data subject to whom the record pertains provides the name of such person or governmental unit;
(d) with respect to a disclosure made for inclusion in a public safety agency record or to a governmental unit or component thereof whose primary function is the enforcement of civil or criminal statutes, notify the receiving governmental unit that an accounting of such disclosure is being made pursuant to this subdivision and that such accounting will be accessible to the data subject upon his or her request unless otherwise specified by the receiving governmental unit pursuant to paragraph (e) of this subdivision;
(e) with respect to a disclosure made for inclusion in a public safety agency record or to a governmental unit or component thereof whose primary function is the enforcement of civil or criminal statutes, if in its request for the record the receiving governmental unit states that it has determined that access by the data subject to the accounting of such disclosure would impede criminal investigations and specifies the approximate date on which such determination will no longer be applicable, refuse the data subject access to such accounting or information that such accounting has been made, except upon court ordered subpoena, during the applicable time period. Upon the expiration of said time period the disclosing agency shall inquire of the receiving governmental unit as to the continued relevancy of the initial determination and, unless requested in writing by the receiving governmental unit to extend the determination for a specified period of time, shall make available to the data subject an accounting of said disclosure; and
(f) in making a disclosure pursuant to subdivision one of section ninety-six of this article, an agency shall make such disclosure pursuant to paragraph (d), (i) or (l) of said subdivision only when such disclosure cannot be made pursuant to any other paragraph of said subdivision.
(4) (a) Any agency which established or substantially modified a system of records after December fifteenth, nineteen hundred eighty, but before the effective date of this article, or which did not report to the committee a system of records which it maintained prior to December fifteenth, nineteen hundred eighty, shall file notice with the committee pursuant to chapter six hundred seventy-seven of the laws of nineteen hundred eighty within thirty business days of the effective date of this article.
(b) Any agency which seeks to establish a system of records subsequent to the effective date of this article shall file with the committee a privacy impact statement as prescribed by subdivision four of section ninety-three of this article. Any agency which seeks to modify a system of records in a way which would render inaccurate any information set forth in the privacy impact statement, in the notice described in paragraph (a) of this subdivision or in the notice filed pursuant to chapter six hundred seventy-seven of the laws of nineteen hundred eighty, shall file with the committee a supplemental statement to conform the privacy impact statement or notice to the proposed modification. Unless the date by which such proposed system or modification is required by law to be instituted is less than thirty business days from the date of the filing of the privacy impact statement, no such proposed system or modification shall be instituted until the completion of the procedures set forth in subdivision three of section ninety-three of this article.
(5) Each agency shall, within fifteen business days of the receipt of an advisory opinion issued by the committee, respond in writing to the committee as to the following:
(a) the actions it has taken, or will take, to comply with the advisory opinion; or
(b) the reasons for disagreement and noncompliance with the advisory opinion.
(6) On or before the first day of September of each year, each agency shall submit a report covering the preceding year to the committee. The report shall include, with respect to requests for access to records and with respect to requests for correction or amendment of records pursuant to subdivisions one and two of section ninety-five of this article, respectively, the following information:
(i) the number of determinations made to grant such requests; and
(ii) the number of determinations made to deny such requests, in whole or in part, respectively.
(7) The provisions of paragraphs (c) and (d) of subdivision one of this section shall not apply to the following:
(a) personal information that is collected for inclusion in a public safety agency record;
(b) personal information that is maintained by a licensing or franchise-approving agency or component thereof for the purpose of determining whether administrative or criminal action should be taken to restrain or prosecute purported violations of law, or to grant, deny, suspend, or revoke a professional, vocational, or occupational license, certification or registration, or to deny or approve a franchise;
(c) personal information solicited from a data subject receiving services at a treatment facility, provided that each such data subject shall, as soon as practicable, be provided a notification including information specified in subparagraphs (i), (ii), (iii), (iv), (v) and (vi) of paragraph (d) of subdivision one of this section describing systems of records concerning the data subject maintained by the treatment facility.
(8) The provisions of subdivisions two, three and six of this section shall not apply to public safety agency records.
(9) Nothing in this article shall abrogate in any way any obligation regarding the maintenance of records otherwise imposed on an agency at law or in equity.
(10) Each agency record which is transferred to the state archives as a record which has sufficient historical or other value to warrant its continued preservation by the state shall, for the purposes of this article, be considered to be maintained by the state archives and shall be exempt from the requirements of this article, except as otherwise provided in this section and except that such record shall continue to be subject to inspection and correction by the data subject by application to the agency which compiled it, as provided in subdivisions one through four of section ninety-five of this chapter.
Last modified: February 3, 2019