Section 93. Powers and duties of the committee  


Latest version.
  • (1) The committee shall
      prepare a directory derived from the information  provided  pursuant  to
      section  three  of  chapter  six  hundred  seventy-seven  of the laws of
      nineteen hundred eighty and subdivision four of section  ninety-four  of
      this  article.  The  directory  shall include the name of each system of
      records subject  to  the  provisions  of  this  article,  the  name  and
      subdivision of the agency maintaining it, the title and business address
      of  the  person  responsible  therefor,  the  approximate number of data
      subjects and the categories of  information  collected,  and  sufficient
      information  for  the  identification  of  rules promulgated by agencies
      pursuant to this article. Individuals shall be permitted to purchase the
      directory for a reasonable price as set by the committee  in  accordance
      with law.
        (2) The committee may, upon request of a data subject eligible to make
      a  request  under section ninety-five of this article, investigate, make
      findings  and  furnish  an  advisory  opinion  in  connection  with  the
      requirements  of  section  ninety-five  of  this  article.  Prior to the
      issuance of an advisory opinion, the committee may require an agency  to
      provide  additional  information  which the committee deems necessary to
      render an opinion.  However,  no  system  of  records  exempt  from  the
      provisons of section ninety-five of this article shall be subject to the
      provisions of this subdivision.
        (3)  Within  thirty  business  days of the receipt of a privacy impact
      statement or supplemental statement by an  agency  the  committee  shall
      review such statement to determine whether the maintenance of the system
      is  within  the  lawful authority of the agency and to determine whether
      there have been established rules and procedures as required by  section
      ninety-four of this article. However, such review by the committee shall
      not  include examination of personal information or records collected or
      maintained  by  such  agency.  After  review  of  such  information  the
      committee  may  notify  the  agency  of  the  result of its review. Such
      notification and result shall not constitute  an  advisory  opinion  and
      shall  not  be  reported  as such by the committee and there shall be no
      obligation upon the agency to respond to such notification or result.
        (4) The committee shall promulgate rules for the specification of  the
      form  of  the  privacy  impact  statement. Such privacy impact statement
      shall include the following:
        (a) the name of the agency and the subdivision within the agency  that
      will maintain the system of records, and the name or title of the system
      of records in which such information will be maintained;
        (b)  the  title and business address of the official within the agency
      responsible for the system of records;
        (c) where applicable, the procedures by which a data subject may  gain
      access  to  personal  information pertaining to such data subject in the
      system of records and the procedures by which a data subject may seek to
      amend or correct its contents;
        (d) the categories and the  approximate  number  of  persons  on  whom
      records will be maintained in the system of records;
        (e)  the  categories  of  information  which  will  be  collected  and
      maintained in the system of records;
        (f) the purposes for which each category  of  information  within  the
      system of records will be collected and maintained;
        (g)  the  disclosures  of  personal  information  within the system of
      records that the  agency  will  regularly  make  for  each  category  of
      information, and the authority for such disclosures;
        (h)  the  general  or specific statutory authority for the collection,
      maintenance and disclosure of each category of  information  within  the
      system of records;
    
        (i)  policies  governing  retention and timely disposal of information
      within the system of records in accordance with law;
        (j)  each and every source for each category of information within the
      system of records;
        (k) a statement indicating whether  the  system  of  records  will  be
      maintained manually, by automated data system, or both.
        (5)  The committee shall report its activities and findings, including
      recommendations for  changes  in  the  law,  to  the  governor  and  the
      legislature annually, on or before December fifteenth.
        (6)  In  order  to  carry  out  the  provisions  of  this article, the
      committee is authorized to:
        (a) enter  into  contracts  or  other  arrangements  or  modifications
      thereof,  with  any government, any governmental unit, or any department
      of the state, or with any individual, firm, association  or  corporation
      within  the  amounts  appropriated therefor and subject to the audit and
      warrant of the state comptroller;
        (b) delegate any of its functions to such officers  and  employees  of
      the committee as the committee may designate;
        (c)  establish  model guidelines with respect to the implementation of
      this article.