Councilman Ben Kallos on Thursday reintroduced two pieces of legislation on behalf of Manhattan Borough President Gale Brewer aimed at ensuring that New Yorkers' personal information is protected in interactions with city agencies.
The first piece of legislation, related to personal information privacy, directs agencies collecting personal information to inform individuals about the legal framework for gathering personal information, the purpose of gathering it and how it will be used, codifies that agencies may not use data for purposes without an individual's permission and that agency officials should only have access to that personal information that is necessary for their duties, and directs agencies to ensure the security and confidentiality of systems containing personal data.
The second piece of legislation, related to personal information security, directs all agencies maintaining personal information records to implement a security program that details administrative, technical and physical safeguards protecting that data.
Brewer originally introduced the first piece of legislation in 2010, and the second in 2011, but timing issues prevented them from moving forward, she said.
In an interview, Kallos said the legislation was intended as a proactive measure, especially in light of increasing reports of data breaches in the private sector.
"A lot of people aren't paying attention to what data they are sharing," he said. "City agencies should only be collecting information that is necessary for their task.... If someone is applying for SNAP benefits...the only people who need to know that are them and the person [they] are applying to."
He said the legislation would not prevent the gathering of anonymized, aggregated data for research purposes, and that it was mandating measures that the city "should be engaged in anyway."
Brewer said that even as she has been advocating for more and more granular data collection as the key backer of the city's open data law, "I worry that there has been a lack of focus on security, particularly of personal information." She said that there had been data lapses in the past involving the Administration of Children's' Services, medical records stolen from a van operated by a vendor and the Department of Education improperly disposing of documents.
"Citizens should know if and what information is being collected...that personally identifiable information is being protected," she said. "They should know their rights."
She said she anticipated that the first bill would face little challenge, while the second might prompt more questions how it applies to different agencies. In the State of the Union, she said she noticed that "when [Obama] talked about data and privacy he got a unanimous clap from Republicans and Democrats—this is very cutting edge, this discussion needs to be had."
At a 2012 hearing on the personal information security legislation, Daniel Srebnick, then the associate commissioner for I.T. security at the Department of Information Technology and Telecommunications and chief information security officer for the city, said DoITT was in support of the overall goal of the legislation, but said that the proposal would require further examine to ensure the feasibility of its implementation and standardization across city agencies.
Last week, Attorney General Eric Schneiderman proposed legislation that would broaden the state's data security laws applying to businesses.