94 - Agency obligations.

§ 94. Agency  obligations.  (1) Each agency that maintains a system of  records shall:    (a) except when a data subject provides  an  agency  with  unsolicited  personal  information,  maintain  in  its  records  only  such  personal  information which is relevant and necessary to accomplish a  purpose  of  the agency required to be accomplished by statute or executive order, or  to implement a program specifically authorized by law;    (b)   consistent   with   the  standards  of  paragraph  (a)  of  this  subdivision, maintain all  records  used  by  the  agency  to  make  any  determination   about   any   data  subject  with  accuracy,  relevance,  timeliness and completeness provided however, that personal  information  or  records  received  by  an  agency from another governmental unit for  inclusion in public safety  agency  records  shall  be  presumed  to  be  accurate;    (c)  collect  personal  information  directly  from  the  data subject  whenever practicable, except when collected for the  purpose  of  making  quasi-judicial determinations;    (d)  provide  each data subject whom it requests to supply information  to be maintained in a record, at the time of the initial  request,  with  notification  as provided in this paragraph. Where such notification has  been provided, subsequent requests for information from the data subject  to be  maintained  in  the  same  record  need  not  be  accompanied  by  notification  unless  the  initial notification is not applicable to the  subsequent request. Notification shall include:    (i) the name of the agency and any subdivision within the agency  that  is  requesting  the  personal  information  and the name or title of the  system of records in which such information will be maintained;    (ii) the title, business address and telephone number  of  the  agency  official who is responsible for the system of records;    (iii)  the  authority  granted by law, which authorizes the collection  and maintenance of the information;    (iv) the effects on such data subject, if any, of not providing all or  any part of the requested information;    (v) the principal purpose or purposes for which the information is  to  be collected; and    (vi)  the  uses  which  may  be  made  of  the information pursuant to  paragraphs (b), (e) and (f) of subdivision one of section ninety-six  of  this article;    (e)  ensure  that  no  record  pertaining  to  a data subject shall be  modified or destroyed to avoid the provisions of this article;    (f) cause the requirements of  this  article  to  be  applied  to  any  contract  it  executes  for the operation of a system of records, or for  research, evaluation or reporting, by the agency or on its behalf;    (g) establish written policies in accordance with  law  governing  the  responsibilities  of  persons  pertaining  to  their  involvement in the  design, development, operation or maintenance of any system of  records,  and  instruct  each  such  person  with respect to such policies and the  requirements of this article, including any other rules and  regulations  and  procedures  adopted pursuant to this article, and the penalties for  noncompliance;    (h)  establish  appropriate  administrative,  technical  and  physical  safeguards to ensure the security of records;    (i) establish rules governing retention and timely disposal of records  in accordance with law;    (j) designate an agency employee who shall be responsible for ensuring  that the agency complies with all of the provisions of this article;(k)  whenever  a  data  subject is entitled under this article to gain  access to a  record,  disclose  such  record  at  a  location  near  the  residence of the data subject whenever reasonable, or by mail;    (l)  upon  denial of a request under subdivision one or two of section  ninety-five of this article, inform the data subject of  its  procedures  for  review  of initial determinations and the name and business address  of the reviewing officials.    (2) In order to carry out the provisions of this article  each  agency  that  maintains  a  system of records shall promulgate rules which shall  set forth the following:    (a) procedures by which a data  subject  can  learn  if  a  system  of  records contains any records pertaining to him or her;    (b) reasonable times, places and means for verifying the identity of a  data subject who requests access to his or her record;    (c)  procedures for providing access, upon the data subject's request,  to the data subject's record;    (d) procedures for reviewing a request from a data subject for  access  to,  and  for correction or amendment of his or her record, for making a  determination on such request, and for an appeal within the agency of an  initial adverse agency determination.    (3) Each agency, for disclosures made pursuant to paragraphs (d),  (i)  and (l) of subdivision one of section ninety-six of this article, except  for  disclosures made for inclusion in public safety agency records when  such record is  requested  for  the  purpose  of  obtaining  information  required  for  the  investigation  of  a  violation of civil or criminal  statutes within the disclosing agency, shall:    (a) keep an accurate accounting of the date,  nature  and  purpose  of  each  disclosure  of  a record or personal information, and the name and  address of the person or governmental unit to  whom  the  disclosure  is  made;    (b) retain the accounting made under paragraph (a) of this subdivision  as  part of said record for at least five years after the disclosure for  which the accounting is made, or for the life of the  record  disclosed,  whichever is longer;    (c)  at  the  request  of the data subject, inform any person or other  governmental unit to which a disclosure has  been  or  is  made  of  any  correction,  amendment,  or  notation  of  dispute  made  by the agency,  provided that an accounting of the prior disclosure was made or that the  data subject to whom the record  pertains  provides  the  name  of  such  person or governmental unit;    (d) with respect to a disclosure made for inclusion in a public safety  agency  record  or  to  a  governmental  unit or component thereof whose  primary function is the  enforcement  of  civil  or  criminal  statutes,  notify  the  receiving  governmental  unit  that  an  accounting of such  disclosure is being made pursuant to  this  subdivision  and  that  such  accounting  will  be  accessible  to  the  data  subject upon his or her  request unless otherwise specified by the  receiving  governmental  unit  pursuant to paragraph (e) of this subdivision;    (e) with respect to a disclosure made for inclusion in a public safety  agency  record  or  to  a  governmental  unit or component thereof whose  primary function is the enforcement of civil or criminal statutes, if in  its request for the record the receiving governmental unit  states  that  it  has  determined that access by the data subject to the accounting of  such disclosure would impede criminal investigations and  specifies  the  approximate   date  on  which  such  determination  will  no  longer  be  applicable, refuse  the  data  subject  access  to  such  accounting  or  information  that  such  accounting  has  been  made,  except upon court  ordered subpoena, during the applicable time period. Upon the expirationof said time period the disclosing agency shall inquire of the receiving  governmental  unit  as  to  the  continued  relevancy  of  the   initial  determination   and,  unless  requested  in  writing  by  the  receiving  governmental  unit to extend the determination for a specified period of  time, shall make available to the data subject  an  accounting  of  said  disclosure; and    (f)  in  making  a  disclosure  pursuant to subdivision one of section  ninety-six of  this  article,  an  agency  shall  make  such  disclosure  pursuant to paragraph (d), (i) or (l) of said subdivision only when such  disclosure  cannot  be  made  pursuant  to  any  other paragraph of said  subdivision.    (4) (a) Any agency  which  established  or  substantially  modified  a  system of records after December fifteenth, nineteen hundred eighty, but  before  the  effective  date of this article, or which did not report to  the committee a system of records which it maintained prior to  December  fifteenth, nineteen hundred eighty, shall file notice with the committee  pursuant  to  chapter  six hundred seventy-seven of the laws of nineteen  hundred eighty within thirty business days of the effective date of this  article.    (b) Any agency which seeks to establish a system of records subsequent  to the effective date of this article shall file with  the  committee  a  privacy  impact  statement  as prescribed by subdivision four of section  ninety-three of this article. Any agency which seeks to modify a  system  of  records  in  a way which would render inaccurate any information set  forth in the privacy  impact  statement,  in  the  notice  described  in  paragraph  (a)  of  this  subdivision or in the notice filed pursuant to  chapter six hundred  seventy-seven  of  the  laws  of  nineteen  hundred  eighty,  shall  file  with  the  committee  a  supplemental statement to  conform  the  privacy  impact  statement  or  notice  to  the   proposed  modification.   Unless  the  date  by  which  such  proposed  system  or  modification is required by law to be instituted  is  less  than  thirty  business  days  from  the  date  of  the  filing  of  the privacy impact  statement, no such proposed system or modification shall  be  instituted  until the completion of the procedures set forth in subdivision three of  section ninety-three of this article.    (5)  Each agency shall, within fifteen business days of the receipt of  an advisory opinion issued by the committee, respond in writing  to  the  committee as to the following:    (a)  the  actions  it  has  taken,  or  will  take, to comply with the  advisory opinion; or    (b) the reasons for disagreement and noncompliance with  the  advisory  opinion.    (6)  On or before the first day of September of each year, each agency  shall submit a report covering the preceding year to the committee.  The  report shall include, with respect to requests for access to records and  with respect to requests for correction or amendment of records pursuant  to  subdivisions  one  and  two  of section ninety-five of this article,  respectively, the following information:    (i) the number of determinations made to grant such requests; and    (ii) the number of determinations made to deny such requests, in whole  or in part, respectively.    (7) The provisions of paragraphs (c) and (d)  of  subdivision  one  of  this section shall not apply to the following:    (a)  personal  information that is collected for inclusion in a public  safety agency record;    (b)  personal  information  that  is  maintained  by  a  licensing  or  franchise-approving  agency  or  component  thereof  for  the purpose of  determining whether administrative or criminal action should be taken torestrain or prosecute purported violations of law, or  to  grant,  deny,  suspend,  or revoke a professional, vocational, or occupational license,  certification or registration, or to deny or approve a franchise;    (c)  personal  information  solicited  from  a  data subject receiving  services at a treatment facility, provided that each such  data  subject  shall,  as  soon  as  practicable,  be provided a notification including  information specified in subparagraphs (i), (ii), (iii), (iv),  (v)  and  (vi)  of  paragraph  (d)  of  subdivision one of this section describing  systems of  records  concerning  the  data  subject  maintained  by  the  treatment facility.    (8)  The provisions of subdivisions two, three and six of this section  shall not apply to public safety agency records.    (9) Nothing in this article shall abrogate in any way  any  obligation  regarding  the  maintenance of records otherwise imposed on an agency at  law or in equity.    (10) Each agency record which is transferred to the state archives  as  a  record  which has sufficient historical or other value to warrant its  continued preservation by the state shall,  for  the  purposes  of  this  article,  be considered to be maintained by the state archives and shall  be exempt from the requirements of this  article,  except  as  otherwise  provided  in  this section and except that such record shall continue to  be  subject  to  inspection  and  correction  by  the  data  subject  by  application to the agency which compiled it, as provided in subdivisions  one through four of section ninety-five of this chapter.