2 CRR-NY 111.4NY-CRR
2 CRR-NY 111.4
2 CRR-NY 111.4
111.4 Privacy officer.
(a) The privacy officer is responsible for:
(1) assisting a data subject in identifying and requesting personal information, if necessary;
(2) describing the contents of systems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to a data subject requesting such record or personal information;
(3) insuring that appropriate procedures are developed and implemented so that one of the following actions is taken upon locating the record sought:
(i) make the record available for inspection, in a printed form without codes or symbols, unless an accompanying document explaining such codes or symbols is also provided;
(ii) permit the data subject to copy the record; or
(iii) deny access to the record in whole or in part, and explain in writing the reasons therefor;
(4) making a copy available, upon request, upon payment of or offer to pay established fees, if any, or permitting the data subject to copy the record;
(5) upon request, certifying that a copy of a record is a true copy; or
(6) certifying, upon request, that:
(i) this office does not have possession of the record sought;
(ii) this office cannot locate the record sought after having made a diligent search; or
(iii) the information sought cannot be retrieved by use of the name or other identifier of the data subject without extraordinary search methods being employed by this office.
(b) The privacy officer is responsible for ensuring that the office complies with the provisions of the Personal Privacy Protection Law and the regulations herein and for coordinating the response to requests for records or amendment or correction of records. In particular, the privacy officer shall perform the functions of the office at 110 State Street, Albany, NY 12236-0001. The officer shall cause a public notice to be posted at 110 State Street, Albany, NY, and all other buildings occupied by this office, informing members of the public of the officer’s location and telephone number; of the times and places records will be available for inspection and copying; and of the right to appeal a denial of a request for a record or an amendment or correction thereto; which shall include the name, address and telephone number of the privacy appeals officer.
(c) The privacy officer shall coordinate with the privacy committee, as designated by the Comptroller, to develop and, from time to time, to update internal policies, procedures and guidance on the collection, use, safeguarding, disclosure and disposal of personal information. Those policies, procedures and guidance shall include, but not be limited to, addressing the following objectives:
(1) to compile and maintain an inventory of agency forms utilizing social security numbers as identifiers for data subjects and to work toward elimination of such use, absent an exception granted by the privacy committee;
(2) to review agency forms to insure that the proper privacy notice is used;
(3) to assist in the development of a process for review of new systems of data collection to insure that appropriate privacy notices are included and to provide mitigation strategies to reduce privacy impact;
(4) to recommend appropriate measures to communicate the importance of compliance with personal privacy protection measures to staff, including periodic training and outreach to build a culture of privacy across the office and transparency to the public;
(5) to assist in the identification and documentation of privacy risks and development of appropriate internal controls in coordination with the internal controls officer and other staff with a privacy-related role;
(6) to operate an office-wide privacy incident response program to insure that incidents involving personal information are properly reported and mitigated, as appropriate.
2 CRR-NY 111.4
Current through August 31, 2022
| End of Document |