Introduction 627-2015 Securing personal information privacy

Date of Introduction: 
01/22/2015
Legislative Status: 
Committee: 
Sponsors: 
Plain English Summary: 

This bill would require each city agency that collects personal information to develop a system to protect the privacy of that information. The system of protection would include appropriate administrative, technical and physical safeguards to ensure the confidentiality of personal records and would also require the destruction of those records once the purpose of collecting that information is achieved. 

 

Legislative Text: 
Int. No. 627
 
By Council Members Kallos and Mendez (by request of the Manhattan Borough President)
 
 
A Local Law to amend the administrative code of the city of New York, in relation to securing personal information privacy.
 
 
Be it enacted by the Council as follows:
 
Section 1. Title 8 of the administrative code of the city of New York is amended by adding a new chapter 12 to read as follows:
CHAPTER 12
PERSONAL INFORMATION PRIVACY
§8-1201 Definitions
§8-1202 Collection of information
§8-1203 Use of information
§8-1204 Access to information
§8-1205 Information security
§8-1201 Definitions. As used in this chapter: a. "agency" means an office, administration, department, division, bureau, board, commission, authority, corporation, advisory committee or other governmental entity performing a governmental function of the city of New York;
b. "determination" means a decision made by an agency with respect to an individual, including, but not limited to:
(1) eligibility for services or benefits;
(2) issuing a permit;
(3) registration, certification and licensing; or
(4) liability for civil and criminal penalties.
c. "personal information" means any information concerning an individual which, because of name, number, symbol, mark or other identifier, can be used to identify that individual;
d. "record" means any item, collection or grouping of personal information about a subject individual that is retrievable by name or other identifier of the subject individual that is maintained by an agency for the purposes of making a determination about the subject individual, but shall not include an agency's employment records, business records, telephone or email directories and contact lists.
e. "routine use" means any use of such record or personal information that is compatible with the purpose for which it was collected; and
f. "subject individual" means any natural person about whom personal information has been collected.
§8-1202 Collection of information. Each agency that maintains a system of records pertaining to individuals shall: a. collect information to the greatest extent practicable directly from the subject individual;
b. collect and maintain only such information about a subject individual as is relevant and necessary to accomplish a purpose of the agency that is required or authorized by law; and
c. except with respect to information gathered as part of an ongoing criminal investigation, inform each individual from whom it collects information on a form that can be retained by the individual of: (1) the law that authorizes the solicitation of the information and whether the disclosure of such information is mandatory or voluntary;
(2) the principle purpose or purposes for which the information is intended to be used;
(3) the agency or agencies that will have access to the information in order to accomplish the purpose or purposes for which the information is intended to be used;
(4) the routine uses which may be made of the information;
(5) the consequences to the subject individual, if any, of failing to provide all or part of the requested information; and
(6) the direct telephone number, address and electronic address of the office or officer responsible for maintaining the system of records.
§8-1203 Use of information. a. An agency shall use personal information obtained from an individual only for the purpose or purposes for which it was collected.
b. A subject individual may consent to uses of personal information other than the uses authorized in subdivision a. of this section provided that such consent is informed, voluntary, in writing that describes the other uses to which the information may be put, and is signed by the subject individual.
c. Consent provided under subdivision b. of this section shall be for a period no greater than four years and may be withdrawn by a subject individual in writing at any time to the office or officer responsible for maintaining the system of records.
d. For the purposes of this section, the parent, or the legal guardian of a minor or any subject individual who has been declared to be incompetent by a court of competent jurisdiction, may act on behalf of such minor or subject individual.
§8-1204 Access to information. a. Officers and employees of an agency shall only have such access to personal information as is necessary to perform their duties.
b. No agency shall disclose any record pertaining to an individual by any means of communication to any person or agency except pursuant to a written request by, or with the prior written consent of, the subject individual unless disclosure of the record is: (1) to those officers and employees of the agency that maintains the record for a routine use;
(2) specifically authorized by New York state or federal statute, law, rule or regulation;
(3) to another agency, or to a New York state or federal governmental entity, for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency has made a written request to the agency that maintains the records specifying the particular portion desired and the law enforcement activity for which the record is sought; or
(4) pursuant to the order of a court of competent jurisdiction.
c. Upon written request by an individual, an agency shall provide copies of all the records maintained by an agency that pertain to that individual within fourteen days, excluding any such records that are kept and maintained as part of an ongoing criminal investigation that is authorized by law. For the purposes of this subdivision, accountings created under subdivision c. of section 8-1205 of this chapter shall be considered a record pertaining to the subject individual of the record for which such accounting was created.  Agencies may charge the individual a maximum of twenty-five cents for each page copied.
d. Records pertaining to an individual or individuals, excluding any such records that are kept and maintained as part of an ongoing criminal investigation that is authorized by law, shall be made available to a recipient with advance written assurance that the record will be used solely for a statistical research and reporting provided that the records are transferred in a form that contains no information which identifies the subject individual or individuals.
§8-1205 Information security. Each agency that maintains a system of records pertaining to individuals shall: a. establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, inconvenience, or unfairness to any individual on whom information is maintained;
b. destroy by making unreadable by any means such information that is no longer required for the purpose or purposes for which it was collected, or for purposes of audit or litigation, or to which the subject individual has consented, provided such destruction is in accordance with the rules promulgated by the department of records and information services regarding the disposal of records by city agencies;
c. create and maintain for not less than five years or for the life of the record, whichever is longer, an accurate accounting of the date, nature, and purpose of each disclosure of a record to any person or to another agency and the name and address of the person or agency to whom the disclosure is made; and
d. notify the subject individual within twenty-four hours from the discovery of unauthorized access to or disclosure of the personal information of such individual.
§2. This local law shall take effect one hundred eighty days after its enactment into law.
 
 
ARP
Int. 0181/2010
LS# 1538
1/15/15 4:12PM

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.