Current through Register Vol. 46, No. 12, March 20, 2024
(a)
The privacy officer is responsible for:
(1)
assisting a data subject in identifying and requesting personal information, if
necessary;
(2) describing the
contents of systems of records orally or in writing in order to enable a data
subject to learn if a system of records includes a record or personal
information identifiable to a data subject requesting such record or personal
information;
(3) insuring that
appropriate procedures are developed and implemented so that one of the
following actions is taken upon locating the record sought:
(i) make the record available for inspection,
in a printed form without codes or symbols, unless an accompanying document
explaining such codes or symbols is also provided;
(ii) permit the data subject to copy the
record; or
(iii) deny access to
the record in whole or in part, and explain in writing the reasons therefor;
....
(4) making a copy available, upon request,
upon payment of or offer to pay established fees, if any, or permitting the
data subject to copy the record;
(5) upon request, certifying that a copy of a
record is a true copy; or
(6)
certifying, upon request, that:
(i) this
office does not have possession of the record sought;
(ii) this office cannot locate the record
sought after having made a diligent search; or
(iii) the information sought cannot be
retrieved by use of the name or other identifier of the data subject without
extraordinary search methods being employed by this office.
(b) The privacy officer
is responsible for ensuring that the office complies with the provisions of the
Personal Privacy Protection Law and the regulations herein and for coordinating
the response to requests for records or amendment or correction of records. In
particular, the privacy officer shall perform the functions of the office at
110 State Street, Albany, 12236-0001. The officer shall cause a public notice
to be posted at 110 State Street, Albany, NY, and all other buildings occupied
by this office, informing members of the public of the officer's location and
telephone number; of the times and places records will be available for
inspection and copying; and of the right to appeal a denial of a request for a
record or an amendment or correction thereto; which shall include the name,
address and telephone number of the privacy appeals officer.
(c) The privacy officer shall coordinate with
the Privacy Committee, as designated by the Comptroller, to develop and, from
time to time, to update internal policies, procedures and guidance on the
collection, use, safeguarding, disclosure and disposal of personal information.
Those policies, procedures and guidance shall include, but not be limited to,
addressing the following objectives:
(1) To
compile and maintain an inventory of agency forms utilizing social security
numbers as identifiers for data subjects and to work toward elimination of such
use, absent an exception granted by the Privacy Committee;
(2) To review agency forms to insure that the
proper privacy notice is used;
(3)
To assist in the development of a process for review of new systems of data
collection to insure that appropriate privacy notices are included and to
provide mitigation strategies to reduce privacy impact;
(4) To recommend appropriate measures to
communicate the importance of compliance with personal privacy protection
measures to staff, including periodic training and outreach to build a culture
of privacy across the office and transparency to the public;
(5) To assist in the identification and
documentation of privacy risks and development of appropriate internal controls
in coordination with the Internal Controls Officer and other staff with a
privacy-related role;
(6) To
operate an office-wide privacy incident response program to insure that
incidents involving personal information are properly reported and mitigated,
as appropriate.